# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 13.03.2020 19:52:53.503 Process: id = "1" image_name = "1.exe" filename = "c:\\users\\fd1hvy\\desktop\\1.exe" page_root = "0x18210000" os_pid = "0x11f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\1.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x11f4 [0045.617] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0045.618] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x2680000 [0045.625] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0045.625] GetProcAddress (hModule=0x772d0000, lpProcName="FlsAlloc") returned 0x772e4ae0 [0045.625] GetProcAddress (hModule=0x772d0000, lpProcName="FlsGetValue") returned 0x772e4b20 [0045.625] GetProcAddress (hModule=0x772d0000, lpProcName="FlsSetValue") returned 0x772e4b40 [0045.626] GetProcAddress (hModule=0x772d0000, lpProcName="FlsFree") returned 0x772e4b00 [0045.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x214) returned 0x26805a8 [0045.627] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0045.627] GetCurrentThreadId () returned 0x11f4 [0045.627] GetStartupInfoW (in: lpStartupInfo=0x8ffdb4 | out: lpStartupInfo=0x8ffdb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\FD1HVy\\Desktop\\1.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x401, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x10001, hStdError=0x0)) [0045.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x800) returned 0x26807c8 [0045.627] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0045.627] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0045.627] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0045.627] SetHandleCount (uNumber=0x20) returned 0x20 [0045.627] GetCommandLineA () returned="\"C:\\Users\\FD1HVy\\Desktop\\1.exe\" " [0045.627] GetEnvironmentStringsW () returned 0xbdc858* [0045.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1381 [0045.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x565) returned 0x2680fd0 [0045.628] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1381, lpMultiByteStr=0x2680fd0, cbMultiByte=1381, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1381 [0045.628] FreeEnvironmentStringsW (penv=0xbdc858) returned 1 [0045.628] GetLastError () returned 0xcb [0045.628] SetLastError (dwErrCode=0xcb) [0045.628] GetLastError () returned 0xcb [0045.628] SetLastError (dwErrCode=0xcb) [0045.628] GetLastError () returned 0xcb [0045.628] SetLastError (dwErrCode=0xcb) [0045.628] GetACP () returned 0x4e4 [0045.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x220) returned 0x2681540 [0045.628] GetLastError () returned 0xcb [0045.628] SetLastError (dwErrCode=0xcb) [0045.628] IsValidCodePage (CodePage=0x4e4) returned 1 [0045.628] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x8ffd7c | out: lpCPInfo=0x8ffd7c) returned 1 [0045.628] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x8ff848 | out: lpCPInfo=0x8ff848) returned 1 [0045.628] GetLastError () returned 0xcb [0045.628] SetLastError (dwErrCode=0xcb) [0045.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.628] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x8ff5c8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矰ĊĀ") returned 256 [0045.629] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ矰ĊĀ", cchSrc=256, lpCharType=0x8ff85c | out: lpCharType=0x8ff85c) returned 1 [0045.629] GetLastError () returned 0xcb [0045.629] SetLastError (dwErrCode=0xcb) [0045.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x8ff598, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0045.629] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0045.629] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x8ff388, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0045.629] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x8ffb5c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿcM§ÿ\x94ý\x8f", lpUsedDefaultChar=0x0) returned 256 [0045.629] GetLastError () returned 0xcb [0045.629] SetLastError (dwErrCode=0xcb) [0045.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0045.629] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x8ffc5c, cbMultiByte=256, lpWideCharStr=0x8ff5b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0045.629] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0045.629] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x8ff3a8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0045.629] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x8ffa5c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿcM§ÿ\x94ý\x8f", lpUsedDefaultChar=0x0) returned 256 [0045.629] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x10af650, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0045.629] GetLastError () returned 0x0 [0045.629] SetLastError (dwErrCode=0x0) [0045.629] GetLastError () returned 0x0 [0045.629] SetLastError (dwErrCode=0x0) [0045.629] GetLastError () returned 0x0 [0045.629] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.630] SetLastError (dwErrCode=0x0) [0045.630] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.631] SetLastError (dwErrCode=0x0) [0045.631] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x26) returned 0x2681768 [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.632] SetLastError (dwErrCode=0x0) [0045.632] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.633] SetLastError (dwErrCode=0x0) [0045.633] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] GetLastError () returned 0x0 [0045.634] SetLastError (dwErrCode=0x0) [0045.634] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x94) returned 0x2681798 [0045.634] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1f) returned 0x2681838 [0045.634] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x28) returned 0x2681860 [0045.634] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x37) returned 0x2681890 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x3c) returned 0x26818d0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x31) returned 0x2681918 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x14) returned 0x2681958 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x24) returned 0x2681978 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0xd) returned 0x26819a8 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x17) returned 0x26819c0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x2b) returned 0x26819e0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x15) returned 0x2681a18 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x17) returned 0x2681a38 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x22) returned 0x2681a58 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0xe) returned 0x2681a88 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0xc1) returned 0x2681aa0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x3e) returned 0x2681b70 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1b) returned 0x2681bb8 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1d) returned 0x2681be0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x48) returned 0x2681c08 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x12) returned 0x2681c58 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x18) returned 0x2681c78 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1b) returned 0x2681c98 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x24) returned 0x2681cc0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x29) returned 0x2681cf0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1e) returned 0x2681d28 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x6b) returned 0x2681d50 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x17) returned 0x2681dc8 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0xf) returned 0x2681de8 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x16) returned 0x2681e00 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x28) returned 0x2681e20 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x27) returned 0x2681e50 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x12) returned 0x2681e80 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x21) returned 0x2681ea0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x10) returned 0x2681ed0 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x1c) returned 0x2681ee8 [0045.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x12) returned 0x2681f10 [0045.635] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680fd0 | out: hHeap=0x2680000) returned 1 [0045.636] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x8, Size=0x80) returned 0x2681f30 [0045.636] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0045.636] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x10a4b39) returned 0x0 [0045.636] RtlSizeHeap (HeapHandle=0x2680000, Flags=0x0, MemoryPointer=0x2681f30) returned 0x80 [0045.636] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x180) returned 0x2680fd0 [0045.637] RtlSizeHeap (HeapHandle=0x2680000, Flags=0x0, MemoryPointer=0x2681f30) returned 0x80 [0045.637] RtlSizeHeap (HeapHandle=0x2680000, Flags=0x0, MemoryPointer=0x2681f30) returned 0x80 [0045.637] RtlSizeHeap (HeapHandle=0x2680000, Flags=0x0, MemoryPointer=0x2681f30) returned 0x80 [0045.637] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Den'gi plyvut v karmany rekoy. My khodim po krayu nozha...") returned 0x1cc [0045.637] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0x0) returned 0x0 [0045.637] GetLastError () returned 0x0 [0045.637] CryptAcquireContextA (in: phProv=0x10af96c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x10af96c*=0xbdf330) returned 1 [0046.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681158 [0046.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x42) returned 0x26811b0 [0046.082] CryptCreateHash (in: hProv=0xbdf330, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x10af970 | out: phHash=0x10af970) returned 1 [0046.083] CryptHashData (hHash=0xbd8be0, pbData=0x26811b0, dwDataLen=0x42, dwFlags=0x0) returned 1 [0046.084] CryptDeriveKey (in: hProv=0xbdf330, Algid=0x6801, hBaseData=0xbd8be0, dwFlags=0x1, phKey=0x10af968 | out: phKey=0x10af968*=0xbd8960) returned 1 [0046.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26811b0 | out: hHeap=0x2680000) returned 1 [0046.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681158 | out: hHeap=0x2680000) returned 1 [0046.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x7) returned 0x2681fb8 [0046.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x114) returned 0x2681158 [0046.084] CryptAcquireContextA (in: phProv=0x10af960, szContainer="rsa public", szProvider=0x0, dwProvType=0x1, dwFlags=0x0 | out: phProv=0x10af960*=0x0) returned 0 [0046.337] CryptAcquireContextA (in: phProv=0x10af960, szContainer="rsa public", szProvider=0x0, dwProvType=0x1, dwFlags=0x8 | out: phProv=0x10af960*=0xbdfaa0) returned 1 [0046.943] CryptImportKey (in: hProv=0xbdfaa0, pbData=0x2681158, dwDataLen=0x114, hPubKey=0x0, dwFlags=0x0, phKey=0x10af964 | out: phKey=0x10af964*=0xbe2508) returned 1 [0046.944] GetLogicalDrives () returned 0x4 [0046.944] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0046.944] GetProcessHeap () returned 0xbc0000 [0046.944] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4) returned 0xbe36f0 [0046.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0046.944] CreateFileW (lpFileName="C:\\NEFILIM-DECRYPT.txt" (normalized: "c:\\nefilim-decrypt.txt"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1d8 [0046.957] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0046.957] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0046.957] GetProcessHeap () returned 0xbc0000 [0046.957] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x34e) returned 0xbe5cf8 [0046.957] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0046.957] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0046.957] CryptDecrypt (in: hKey=0xbd8960, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xbe5cf8, pdwDataLen=0x8ffcc4 | out: pbData=0xbe5cf8, pdwDataLen=0x8ffcc4) returned 1 [0046.957] lstrlenA (lpString="P28bYetqAjMJwFdCu5KwgN5PGwkVckpRko+dpaPjLO7ofFiQDbKw8ovNbVTREf1xBQ6glzyU76V79uTCpaWeKoTIK27f4cF8GbrTFtiCBEPGFKlFUa9xOFxA/8iU3vp7QOYlJc6pPmGT0Z/MFnQhE0CqYav+ZfHo60djvhkjRBtoPLUcpUQ5jkOczEZPbghBDMjFVM/YFb49N687qDVvrBkiWsz2ehCWS0SMxVMJi4dpMwTc3FybPQPE73FBRFUS/aAHGjcQuSxMlzvAB7CqiEVjpFUodQwjRe7vkyt30HhFnEZmjqwbGTJea2tQ4jZ6AxIekd1brjxQuiQm+gmfc8Ic8zUBwuJgqvtZ0Nq1bPcEjakY2CI5cc+S4LZUTPU6njhVyVHifOH/tSn9IrD9jX6AODDD2jrQx4iVeZ4MnziKWlmcp9/WEgfmLGhGd0kAlpyXbJgBvjIAtvkdiSfyXnWtQSpqO0aLHIoBU+zfOTAOrSoFUEIRoEGYgVLK+/m93c90kSoa7Rkg81aBOat56uFM6j+6KE8TNIXLNK0ikPR9qX104J5xlpdGPPHuzZNOkoSAgw/ZZ2/qXRyCs8GU/ZyIY0/tNXj+E6pjeaxTHiRM3d+edqcmpxWBZOJjeBtztOlYUIw5J3hquaqNH6tkfF7e0XSEBeGAo3TdSlb4U3W+jlnzB8quhIzreGJ9Vh6Z4auZkWFejxeHLKXkB0xnpep5hJzXNPuFHT/PUwCrj8NOgc+usnDxxvK2yEWYx0Q2C5IChW+jIQb9+fYF7JavseSGl/JCuj9Or1UHrOUttk8YpIRlH9waaXD5kZpI6d2oSHAsQB1zhnRbb173T7ebR9+/22ttbaAV2KfVUo1kbfsWTHkg1dqquE84FoWApIwzwKZCmiY4MBVaAv2OasHLQp5boQFLyBzJv5+IdI9Pp/+sB9v2c0ssPO2NQ3R1mdYOdAOkh0QaH+BvuMPZPyfq14K05QmahmvUN6x5z6Z8LQGK2XMC7DNvVK0kWeTu2vJiWqNGUIOjH/SdldhPFbTWY+15dZC54nP267DtsRhZrdWl7FqWfgc0meAvHV2YHSa1g59qa98+O227TC9+5i1PVqyuEU1XO+7DZ1eLoNQ2") returned 1128 [0046.957] WriteFile (in: hFile=0x1d8, lpBuffer=0xbe5cf8*, nNumberOfBytesToWrite=0x34e, lpNumberOfBytesWritten=0x8ffcc0, lpOverlapped=0x0 | out: lpBuffer=0xbe5cf8*, lpNumberOfBytesWritten=0x8ffcc0*=0x34e, lpOverlapped=0x0) returned 1 [0046.958] CloseHandle (hObject=0x1d8) returned 1 [0046.959] GetProcessHeap () returned 0xbc0000 [0046.959] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe5cf8 | out: hHeap=0xbc0000) returned 1 [0046.959] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x10a2049, lpParameter=0xbe36f0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1d8 [0046.960] Sleep (dwMilliseconds=0x1f4) [0047.572] WaitForSingleObject (hHandle=0x1d8, dwMilliseconds=0xffffffff) returned 0x0 [0112.602] CryptReleaseContext (hProv=0xbdfaa0, dwFlags=0x0) returned 1 [0112.602] CryptDestroyKey (hKey=0xbe2508) returned 0 [0112.602] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x8ffb94, nSize=0x104 | out: lpFilename="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x1d [0112.602] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0112.602] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0112.602] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xbe) returned 0x26804b8 [0112.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0112.602] ShellExecuteW (hwnd=0x0, lpOperation=0x0, lpFile="cmd.exe", lpParameters=" /c timeout /t 3 /nobreak && del \"C:\\Users\\FD1HVy\\Desktop\\1.exe\" /s /f /q", lpDirectory=0x0, nShowCmd=0) returned 0x2a [0120.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0120.627] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0120.627] ExitProcess (uExitCode=0x0) [0120.627] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26805a8 | out: hHeap=0x2680000) returned 1 Thread: id = 2 os_tid = 0x1198 Thread: id = 3 os_tid = 0x1190 [0046.967] FindFirstFileW (in: lpFileName="C:\\*.*", lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="$GetCurrent", cAlternateFileName="$GETCU~1")) returned 0xbe2448 [0046.967] lstrcmpiW (lpString1="$GetCurrent", lpString2=".") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="..") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="...") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="windows") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="$RECYCLE.BIN") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="rsa") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="NTDETECT.COM") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="ntldr") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="MSDOS.SYS") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="IO.SYS") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="boot.ini") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="AUTOEXEC.BAT") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="ntuser.dat") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="desktop.ini") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="CONFIG.SYS") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="RECYCLER") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="BOOTSECT.BAK") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="bootmgr") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="programdata") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="appdata") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="program files") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="program files (x86)") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="microsoft") returned -1 [0046.968] lstrcmpiW (lpString1="$GetCurrent", lpString2="sophos") returned -1 [0046.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681278 [0046.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812a0 [0046.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812c8 [0046.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0046.968] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28, dwReserved1=0xbc00c0, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0046.970] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.970] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xf0b4f277, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0x9b28dcfd, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9b28dcfd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28, dwReserved1=0xbc00c0, cFileName="..", cAlternateFileName="")) returned 1 [0046.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.971] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28, dwReserved1=0xbc00c0, cFileName="Logs", cAlternateFileName="")) returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0046.971] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0046.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681328 [0046.971] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0046.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0046.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681360 [0046.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681398 [0046.971] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\Logs\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0046.975] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.975] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x9c5a0a89, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.976] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.976] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.976] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x542c8aac, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x542c8aac, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0xafe5f7a, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xa6b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="downlevel_2017_09_07_02_02_39_766.log", cAlternateFileName="DOWNLE~1.LOG")) returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2=".") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="..") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="...") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="windows") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="$RECYCLE.BIN") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="rsa") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="NTDETECT.COM") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="ntldr") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="MSDOS.SYS") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="IO.SYS") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="boot.ini") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="AUTOEXEC.BAT") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="ntuser.dat") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="desktop.ini") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="CONFIG.SYS") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="RECYCLER") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="BOOTSECT.BAK") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="bootmgr") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="programdata") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="appdata") returned 1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="program files") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="program files (x86)") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="microsoft") returned -1 [0046.976] lstrcmpiW (lpString1="downlevel_2017_09_07_02_02_39_766.log", lpString2="sophos") returned -1 [0046.976] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26813d0 [0046.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0046.976] PathFindExtensionW (pszPath="downlevel_2017_09_07_02_02_39_766.log") returned=".log" [0046.976] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0046.976] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0046.976] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x973abb0f, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x973abb0f, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1774, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe_2017_09_07_03_08_57_737.log", cAlternateFileName="OOBE_2~1.LOG")) returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2=".") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="..") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="...") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="windows") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="$RECYCLE.BIN") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="rsa") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="NTDETECT.COM") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="ntldr") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="MSDOS.SYS") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="IO.SYS") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="boot.ini") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="AUTOEXEC.BAT") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="ntuser.dat") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="desktop.ini") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="CONFIG.SYS") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="RECYCLER") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="BOOTSECT.BAK") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="bootmgr") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="programdata") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="appdata") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="program files") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="program files (x86)") returned -1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="microsoft") returned 1 [0046.977] lstrcmpiW (lpString1="oobe_2017_09_07_03_08_57_737.log", lpString2="sophos") returned -1 [0046.977] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681458 [0046.977] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813d0 | out: hHeap=0x2680000) returned 1 [0046.977] PathFindExtensionW (pszPath="oobe_2017_09_07_03_08_57_737.log") returned=".log" [0046.977] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0046.977] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0046.977] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 1 [0046.977] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2=".") returned 1 [0046.977] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="..") returned 1 [0046.977] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="...") returned 1 [0046.977] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="windows") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="$RECYCLE.BIN") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="rsa") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="NTDETECT.COM") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="ntldr") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="MSDOS.SYS") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="IO.SYS") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="boot.ini") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="AUTOEXEC.BAT") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="ntuser.dat") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="desktop.ini") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="CONFIG.SYS") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="RECYCLER") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="BOOTSECT.BAK") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="bootmgr") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="programdata") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="appdata") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="program files") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="program files (x86)") returned -1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="microsoft") returned 1 [0046.978] lstrcmpiW (lpString1="PartnerSetupCompleteResult.log", lpString2="sophos") returned -1 [0046.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681398 [0046.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681458 | out: hHeap=0x2680000) returned 1 [0046.978] PathFindExtensionW (pszPath="PartnerSetupCompleteResult.log") returned=".log" [0046.978] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0046.978] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0046.978] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c5a0a89, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x9c5a0a89, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xbb3747bd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x28, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupCompleteResult.log", cAlternateFileName="PARTNE~1.LOG")) returned 0 [0046.978] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0046.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0046.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681360 | out: hHeap=0x2680000) returned 1 [0046.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0046.979] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28, dwReserved1=0xbc00c0, cFileName="SafeOS", cAlternateFileName="")) returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2=".") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="..") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="...") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="windows") returned -1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="$RECYCLE.BIN") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="rsa") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="NTDETECT.COM") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="ntldr") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="MSDOS.SYS") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="IO.SYS") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="boot.ini") returned 1 [0046.979] lstrcmpiW (lpString1="SafeOS", lpString2="AUTOEXEC.BAT") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="ntuser.dat") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="desktop.ini") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="CONFIG.SYS") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="RECYCLER") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="BOOTSECT.BAK") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="bootmgr") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="programdata") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="appdata") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="program files") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="program files (x86)") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="microsoft") returned 1 [0046.980] lstrcmpiW (lpString1="SafeOS", lpString2="sophos") returned -1 [0046.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0046.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681328 | out: hHeap=0x2680000) returned 1 [0046.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681328 [0046.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681360 [0046.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681398 [0046.980] FindFirstFileW (in: lpFileName="C:\\$GetCurrent\\SafeOS\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0046.984] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0046.984] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0046.984] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0046.984] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0046.984] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9568f13f, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9568f13f, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="...") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$RECYCLE.BIN") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="rsa") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTDETECT.COM") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntldr") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="MSDOS.SYS") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="IO.SYS") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot.ini") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="AUTOEXEC.BAT") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntuser.dat") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="desktop.ini") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="CONFIG.SYS") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="RECYCLER") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="BOOTSECT.BAK") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="programdata") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="appdata") returned 1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files (x86)") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="microsoft") returned -1 [0046.984] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="sophos") returned -1 [0046.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0046.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0046.985] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0046.985] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0046.985] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x956819aa, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x956819aa, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x980eecb6, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x9c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GetCurrentRollback.ini", cAlternateFileName="GETCUR~1.INI")) returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2=".") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="..") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="...") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="windows") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="$RECYCLE.BIN") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="rsa") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="NTDETECT.COM") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="ntldr") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="MSDOS.SYS") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="IO.SYS") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="boot.ini") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="AUTOEXEC.BAT") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="ntuser.dat") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="desktop.ini") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="CONFIG.SYS") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="RECYCLER") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="BOOTSECT.BAK") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="bootmgr") returned 1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="programdata") returned -1 [0046.985] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="appdata") returned 1 [0046.986] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="program files") returned -1 [0046.986] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="program files (x86)") returned -1 [0046.986] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="microsoft") returned -1 [0046.986] lstrcmpiW (lpString1="GetCurrentRollback.ini", lpString2="sophos") returned -1 [0046.986] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681448 [0046.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0046.986] PathFindExtensionW (pszPath="GetCurrentRollback.ini") returned=".ini" [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0046.986] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0046.986] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x0, dwReserved1=0x0, cFileName="PartnerSetupComplete.cmd", cAlternateFileName="PARTNE~1.CMD")) returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2=".") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="..") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="...") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="windows") returned -1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="rsa") returned -1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="NTDETECT.COM") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="ntldr") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="MSDOS.SYS") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="IO.SYS") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="boot.ini") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="ntuser.dat") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="desktop.ini") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="CONFIG.SYS") returned 1 [0046.986] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="RECYCLER") returned -1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="BOOTSECT.BAK") returned 1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="bootmgr") returned 1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="programdata") returned -1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="appdata") returned 1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="program files") returned -1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="program files (x86)") returned -1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="microsoft") returned 1 [0046.987] lstrcmpiW (lpString1="PartnerSetupComplete.cmd", lpString2="sophos") returned -1 [0046.987] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814b0 [0046.987] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681448 | out: hHeap=0x2680000) returned 1 [0046.987] PathFindExtensionW (pszPath="PartnerSetupComplete.cmd") returned=".cmd" [0046.987] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0046.987] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0046.987] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0046.987] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0046.987] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9575af11, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9577d1ec, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="preoobe.cmd", cAlternateFileName="")) returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2=".") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="..") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="...") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="windows") returned -1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="$RECYCLE.BIN") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="rsa") returned -1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="NTDETECT.COM") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="ntldr") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="MSDOS.SYS") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="IO.SYS") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="boot.ini") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="ntuser.dat") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="desktop.ini") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="CONFIG.SYS") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="RECYCLER") returned -1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="BOOTSECT.BAK") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="bootmgr") returned 1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="programdata") returned -1 [0046.987] lstrcmpiW (lpString1="preoobe.cmd", lpString2="appdata") returned 1 [0046.988] lstrcmpiW (lpString1="preoobe.cmd", lpString2="program files") returned -1 [0046.988] lstrcmpiW (lpString1="preoobe.cmd", lpString2="program files (x86)") returned -1 [0046.988] lstrcmpiW (lpString1="preoobe.cmd", lpString2="microsoft") returned 1 [0046.988] lstrcmpiW (lpString1="preoobe.cmd", lpString2="sophos") returned -1 [0046.988] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681398 [0046.988] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b0 | out: hHeap=0x2680000) returned 1 [0046.988] PathFindExtensionW (pszPath="preoobe.cmd") returned=".cmd" [0046.988] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0046.988] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0046.988] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0046.988] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0046.988] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2=".") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="..") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="...") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="windows") returned -1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="$RECYCLE.BIN") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="rsa") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="NTDETECT.COM") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="ntldr") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="MSDOS.SYS") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="IO.SYS") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="boot.ini") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="ntuser.dat") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="desktop.ini") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="CONFIG.SYS") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="RECYCLER") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="BOOTSECT.BAK") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="bootmgr") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="programdata") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="appdata") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="program files") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="program files (x86)") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="microsoft") returned 1 [0046.988] lstrcmpiW (lpString1="SetupComplete.cmd", lpString2="sophos") returned -1 [0046.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26813f0 [0046.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0046.989] PathFindExtensionW (pszPath="SetupComplete.cmd") returned=".cmd" [0046.989] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0046.989] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0046.989] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0046.989] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0046.989] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x957833a7, ftCreationTime.dwHighDateTime=0x1d3273b, ftLastAccessTime.dwLowDateTime=0x957833a7, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x9578472e, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x133, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupComplete.cmd", cAlternateFileName="SETUPC~1.CMD")) returned 0 [0046.989] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0046.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f0 | out: hHeap=0x2680000) returned 1 [0046.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681360 | out: hHeap=0x2680000) returned 1 [0046.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681328 | out: hHeap=0x2680000) returned 1 [0046.990] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x9575af11, ftLastAccessTime.dwHighDateTime=0x1d3273b, ftLastWriteTime.dwLowDateTime=0x957833a7, ftLastWriteTime.dwHighDateTime=0x1d3273b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x28, dwReserved1=0xbc00c0, cFileName="SafeOS", cAlternateFileName="")) returned 0 [0046.990] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0046.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0046.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c8 | out: hHeap=0x2680000) returned 1 [0046.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812a0 | out: hHeap=0x2680000) returned 1 [0046.990] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xbaec25, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xae73cae3, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xae73cae3, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="$Recycle.Bin", cAlternateFileName="")) returned 1 [0046.990] lstrcmpiW (lpString1="$Recycle.Bin", lpString2=".") returned -1 [0046.990] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="..") returned -1 [0046.990] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="...") returned -1 [0046.990] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="windows") returned -1 [0046.990] lstrcmpiW (lpString1="$Recycle.Bin", lpString2="$RECYCLE.BIN") returned 0 [0046.990] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x85776261, ftCreationTime.dwHighDateTime=0x1d3276f, ftLastAccessTime.dwLowDateTime=0x85776261, ftLastAccessTime.dwHighDateTime=0x1d3276f, ftLastWriteTime.dwLowDateTime=0x85776261, ftLastWriteTime.dwHighDateTime=0x1d3276f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="$WINRE_BACKUP_PARTITION.MARKER", cAlternateFileName="$WINRE~1.MAR")) returned 1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2=".") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="..") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="...") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="windows") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="$RECYCLE.BIN") returned 1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="rsa") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NTDETECT.COM") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ntldr") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="MSDOS.SYS") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="IO.SYS") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="boot.ini") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="AUTOEXEC.BAT") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="ntuser.dat") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="desktop.ini") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="CONFIG.SYS") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="RECYCLER") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="BOOTSECT.BAK") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="bootmgr") returned -1 [0046.990] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="programdata") returned -1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="appdata") returned -1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="program files") returned -1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="program files (x86)") returned -1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="microsoft") returned -1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="sophos") returned -1 [0046.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812a0 [0046.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0046.991] PathFindExtensionW (pszPath="$WINRE_BACKUP_PARTITION.MARKER") returned=".MARKER" [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".exe") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".log") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".cab") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".cmd") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".com") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".cpl") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".ini") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".dll") returned 1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".url") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".ttf") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".mp3") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".pif") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".mp4") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".NEFILIM") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".msi") returned -1 [0046.991] lstrcmpiW (lpString1=".MARKER", lpString2=".lnk") returned 1 [0046.991] lstrcmpiW (lpString1="$WINRE_BACKUP_PARTITION.MARKER", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0046.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812f8 [0046.991] CreateFileW (lpFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x25c [0046.992] GetFileSizeEx (in: hFile=0x25c, lpFileSize=0x25bf458 | out: lpFileSize=0x25bf458*=0) returned 1 [0046.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681fc8 [0046.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681278 [0046.992] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x756e0000 [0046.992] GetProcAddress (hModule=0x756e0000, lpProcName="SystemFunction036") returned 0x744329e0 [0046.992] SystemFunction036 (in: RandomBuffer=0x2681fc8, RandomBufferLength=0x10 | out: RandomBuffer=0x2681fc8) returned 1 [0046.993] SystemFunction036 (in: RandomBuffer=0x2681278, RandomBufferLength=0x10 | out: RandomBuffer=0x2681278) returned 1 [0046.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681350 [0046.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fe8 [0046.993] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681350*, pdwDataLen=0x25bf418*=0x10, dwBufLen=0x100 | out: pbData=0x2681350*, pdwDataLen=0x25bf418*=0x100) returned 1 [0046.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fe8*, pdwDataLen=0x25bf414*=0x10, dwBufLen=0x100 | out: pbData=0x2681fe8*, pdwDataLen=0x25bf414*=0x100) returned 1 [0046.994] GetTickCount () returned 0x114d3bc [0046.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681458 [0046.994] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681458 | out: hHeap=0x2680000) returned 1 [0046.994] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.994] SetLastError (dwErrCode=0x0) [0046.994] WriteFile (in: hFile=0x25c, lpBuffer=0x2681350*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x2681350*, lpNumberOfBytesWritten=0x25bf470*=0x100, lpOverlapped=0x0) returned 1 [0046.995] GetLastError () returned 0x0 [0046.995] GetLastError () returned 0x0 [0046.995] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.995] WriteFile (in: hFile=0x25c, lpBuffer=0x2681fe8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x2681fe8*, lpNumberOfBytesWritten=0x25bf470*=0x100, lpOverlapped=0x0) returned 1 [0046.996] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.996] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf42c | out: lpSystemTimeAsFileTime=0x25bf42c*(dwLowDateTime=0x17003e99, dwHighDateTime=0x1d5f971)) [0046.996] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681458 [0046.996] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681458 | out: hHeap=0x2680000) returned 1 [0046.996] WriteFile (in: hFile=0x25c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf470*=0x7, lpOverlapped=0x0) returned 1 [0046.996] GetProcessHeap () returned 0xbc0000 [0046.996] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x0) returned 0xbe3810 [0046.996] GetSystemDefaultLangID () returned 0xbd0409 [0046.996] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.996] ReadFile (in: hFile=0x25c, lpBuffer=0xbe3810, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x25bf47c, lpOverlapped=0x0 | out: lpBuffer=0xbe3810*, lpNumberOfBytesRead=0x25bf47c*=0x0, lpOverlapped=0x0) returned 1 [0046.996] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0046.996] WriteFile (in: hFile=0x25c, lpBuffer=0xbe3810*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0xbe3810*, lpNumberOfBytesWritten=0x25bf470*=0x0, lpOverlapped=0x0) returned 1 [0046.996] GetProcessHeap () returned 0xbc0000 [0046.996] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3810 | out: hHeap=0xbc0000) returned 1 [0046.996] CloseHandle (hObject=0x25c) returned 1 [0046.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681350 | out: hHeap=0x2680000) returned 1 [0046.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fe8 | out: hHeap=0x2680000) returned 1 [0046.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0046.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0046.997] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681350 [0046.997] MoveFileW (lpExistingFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER" (normalized: "c:\\$winre_backup_partition.marker"), lpNewFileName="C:\\$WINRE_BACKUP_PARTITION.MARKER.NEFILIM" (normalized: "c:\\$winre_backup_partition.marker.nefilim")) returned 1 [0046.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681350 | out: hHeap=0x2680000) returned 1 [0046.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f8 | out: hHeap=0x2680000) returned 1 [0046.998] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="588bce7c90097ed212", cAlternateFileName="588BCE~1")) returned 1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2=".") returned 1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="..") returned 1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="...") returned 1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="windows") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="$RECYCLE.BIN") returned 1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="rsa") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="NTDETECT.COM") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ntldr") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="MSDOS.SYS") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="IO.SYS") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="boot.ini") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="AUTOEXEC.BAT") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="ntuser.dat") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="desktop.ini") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="CONFIG.SYS") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="RECYCLER") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="BOOTSECT.BAK") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="bootmgr") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="programdata") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="appdata") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="program files") returned -1 [0046.998] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="program files (x86)") returned -1 [0046.999] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="microsoft") returned -1 [0046.999] lstrcmpiW (lpString1="588bce7c90097ed212", lpString2="sophos") returned -1 [0046.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f8 [0046.999] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812a0 | out: hHeap=0x2680000) returned 1 [0046.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0046.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0046.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0046.999] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0047.036] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.036] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf257ded5, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf39a4e7e, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf74cd515, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="..", cAlternateFileName="")) returned 1 [0047.036] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.036] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.036] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1025", cAlternateFileName="")) returned 1 [0047.036] lstrcmpiW (lpString1="1025", lpString2=".") returned 1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="..") returned 1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="...") returned 1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="windows") returned -1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="$RECYCLE.BIN") returned 1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="rsa") returned -1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="NTDETECT.COM") returned -1 [0047.036] lstrcmpiW (lpString1="1025", lpString2="ntldr") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="MSDOS.SYS") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="IO.SYS") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="boot.ini") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="AUTOEXEC.BAT") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="ntuser.dat") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="desktop.ini") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="CONFIG.SYS") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="RECYCLER") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="BOOTSECT.BAK") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="bootmgr") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="programdata") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="appdata") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="program files") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="program files (x86)") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="microsoft") returned -1 [0047.037] lstrcmpiW (lpString1="1025", lpString2="sophos") returned -1 [0047.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.037] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1025\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0047.038] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.038] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.038] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.038] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.038] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1d8f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.038] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.039] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.039] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.039] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.039] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.039] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.039] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.039] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.041] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=7567) returned 1 [0047.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.041] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.041] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.041] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.042] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.042] GetTickCount () returned 0x114d3eb [0047.042] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.042] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1d8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.042] SetLastError (dwErrCode=0x0) [0047.042] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.044] GetLastError () returned 0x0 [0047.044] GetLastError () returned 0x0 [0047.044] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1e8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.044] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.044] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1f8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.044] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17076566, dwHighDateTime=0x1d5f971)) [0047.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.044] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.045] GetProcessHeap () returned 0xbc0000 [0047.045] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1d8f) returned 0xbe95f0 [0047.045] GetSystemDefaultLangID () returned 0xbd0409 [0047.045] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.045] ReadFile (in: hFile=0x264, lpBuffer=0xbe95f0, nNumberOfBytesToRead=0x1d8f, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesRead=0x25bee3c*=0x1d8f, lpOverlapped=0x0) returned 1 [0047.046] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.046] WriteFile (in: hFile=0x264, lpBuffer=0xbe95f0*, nNumberOfBytesToWrite=0x1d8f, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesWritten=0x25bee30*=0x1d8f, lpOverlapped=0x0) returned 1 [0047.046] GetProcessHeap () returned 0xbc0000 [0047.046] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe95f0 | out: hHeap=0xbc0000) returned 1 [0047.046] CloseHandle (hObject=0x264) returned 1 [0047.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.047] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1025\\eula.rtf.nefilim")) returned 1 [0047.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.050] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x121e6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.050] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.051] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.051] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.051] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.051] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.051] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.051] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.052] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=74214) returned 1 [0047.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.052] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.052] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.052] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.053] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.053] GetTickCount () returned 0x114d3fb [0047.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.053] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x121e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.053] SetLastError (dwErrCode=0x0) [0047.053] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.055] GetLastError () returned 0x0 [0047.055] GetLastError () returned 0x0 [0047.055] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x122e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.055] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.055] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x123e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.055] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1709c79e, dwHighDateTime=0x1d5f971)) [0047.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.055] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.055] GetProcessHeap () returned 0xbc0000 [0047.055] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x121e6) returned 0xbe95f0 [0047.055] GetSystemDefaultLangID () returned 0xbd0409 [0047.055] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.055] ReadFile (in: hFile=0x264, lpBuffer=0xbe95f0, nNumberOfBytesToRead=0x121e6, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesRead=0x25bee3c*=0x121e6, lpOverlapped=0x0) returned 1 [0047.061] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.061] WriteFile (in: hFile=0x264, lpBuffer=0xbe95f0*, nNumberOfBytesToWrite=0x121e6, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesWritten=0x25bee30*=0x121e6, lpOverlapped=0x0) returned 1 [0047.061] GetProcessHeap () returned 0xbc0000 [0047.061] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe95f0 | out: hHeap=0xbc0000) returned 1 [0047.061] CloseHandle (hObject=0x264) returned 1 [0047.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.063] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1025\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1025\\localizeddata.xml.nefilim")) returned 1 [0047.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.065] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.065] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.066] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.066] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.066] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.066] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.066] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.066] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.066] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.066] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0047.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.067] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1028", cAlternateFileName="")) returned 1 [0047.067] lstrcmpiW (lpString1="1028", lpString2=".") returned 1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="..") returned 1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="...") returned 1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="windows") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="$RECYCLE.BIN") returned 1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="rsa") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="NTDETECT.COM") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="ntldr") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="MSDOS.SYS") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="IO.SYS") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="boot.ini") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="AUTOEXEC.BAT") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="ntuser.dat") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="desktop.ini") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="CONFIG.SYS") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="RECYCLER") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="BOOTSECT.BAK") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="bootmgr") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="programdata") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="appdata") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="program files") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="program files (x86)") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="microsoft") returned -1 [0047.067] lstrcmpiW (lpString1="1028", lpString2="sophos") returned -1 [0047.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.067] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1028\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0047.068] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.068] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.069] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.069] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.069] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.069] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.069] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.069] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.070] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.070] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.070] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.070] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=6309) returned 1 [0047.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.070] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.070] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.070] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.071] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.071] GetTickCount () returned 0x114d40a [0047.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.071] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.071] SetLastError (dwErrCode=0x0) [0047.071] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.075] GetLastError () returned 0x0 [0047.075] GetLastError () returned 0x0 [0047.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x19a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.075] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1aa5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.075] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x170c2c5e, dwHighDateTime=0x1d5f971)) [0047.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.075] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.075] GetProcessHeap () returned 0xbc0000 [0047.075] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18a5) returned 0xbe95f0 [0047.075] GetSystemDefaultLangID () returned 0xbd0409 [0047.075] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.075] ReadFile (in: hFile=0x264, lpBuffer=0xbe95f0, nNumberOfBytesToRead=0x18a5, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesRead=0x25bee3c*=0x18a5, lpOverlapped=0x0) returned 1 [0047.076] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.076] WriteFile (in: hFile=0x264, lpBuffer=0xbe95f0*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesWritten=0x25bee30*=0x18a5, lpOverlapped=0x0) returned 1 [0047.077] GetProcessHeap () returned 0xbc0000 [0047.077] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe95f0 | out: hHeap=0xbc0000) returned 1 [0047.077] CloseHandle (hObject=0x264) returned 1 [0047.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.078] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1028\\eula.rtf.nefilim")) returned 1 [0047.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.081] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.081] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.081] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.081] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.081] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.081] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.081] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.082] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.082] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.082] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.083] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=60816) returned 1 [0047.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.083] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.083] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.084] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.084] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.084] GetTickCount () returned 0x114d41a [0047.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.084] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.084] SetLastError (dwErrCode=0x0) [0047.084] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.086] GetLastError () returned 0x0 [0047.086] GetLastError () returned 0x0 [0047.086] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.086] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.086] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.086] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x170e8c00, dwHighDateTime=0x1d5f971)) [0047.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.087] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.087] GetProcessHeap () returned 0xbc0000 [0047.087] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xed90) returned 0xbe95f0 [0047.087] GetSystemDefaultLangID () returned 0xbd0409 [0047.087] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.087] ReadFile (in: hFile=0x264, lpBuffer=0xbe95f0, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesRead=0x25bee3c*=0xed90, lpOverlapped=0x0) returned 1 [0047.092] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.092] WriteFile (in: hFile=0x264, lpBuffer=0xbe95f0*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbe95f0*, lpNumberOfBytesWritten=0x25bee30*=0xed90, lpOverlapped=0x0) returned 1 [0047.092] GetProcessHeap () returned 0xbc0000 [0047.092] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe95f0 | out: hHeap=0xbc0000) returned 1 [0047.092] CloseHandle (hObject=0x264) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.094] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.094] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1028\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1028\\localizeddata.xml.nefilim")) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.094] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.094] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.094] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.094] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.095] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.096] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.096] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.096] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.096] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0047.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.096] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1029", cAlternateFileName="")) returned 1 [0047.096] lstrcmpiW (lpString1="1029", lpString2=".") returned 1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="..") returned 1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="...") returned 1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="windows") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="$RECYCLE.BIN") returned 1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="rsa") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="NTDETECT.COM") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="ntldr") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="MSDOS.SYS") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="IO.SYS") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="boot.ini") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="AUTOEXEC.BAT") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="ntuser.dat") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="desktop.ini") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="CONFIG.SYS") returned -1 [0047.096] lstrcmpiW (lpString1="1029", lpString2="RECYCLER") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="BOOTSECT.BAK") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="bootmgr") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="programdata") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="appdata") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="program files") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="program files (x86)") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="microsoft") returned -1 [0047.097] lstrcmpiW (lpString1="1029", lpString2="sophos") returned -1 [0047.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.097] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1029\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0047.098] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.098] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.098] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.098] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.098] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe8e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.098] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.099] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.099] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.099] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.099] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.100] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.100] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.100] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.100] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.101] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3726) returned 1 [0047.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.101] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.101] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.101] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.102] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.102] GetTickCount () returned 0x114d42a [0047.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.102] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.102] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.103] SetLastError (dwErrCode=0x0) [0047.103] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.104] GetLastError () returned 0x0 [0047.104] GetLastError () returned 0x0 [0047.104] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf8e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.105] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.105] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x108e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.105] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1710ef4c, dwHighDateTime=0x1d5f971)) [0047.105] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.105] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.105] GetProcessHeap () returned 0xbc0000 [0047.105] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe8e) returned 0xbea5f8 [0047.105] GetSystemDefaultLangID () returned 0xbd0409 [0047.105] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.105] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0xe8e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0xe8e, lpOverlapped=0x0) returned 1 [0047.105] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.105] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0xe8e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0xe8e, lpOverlapped=0x0) returned 1 [0047.105] GetProcessHeap () returned 0xbc0000 [0047.105] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.105] CloseHandle (hObject=0x264) returned 1 [0047.106] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.106] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.106] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.106] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.106] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.106] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1029\\eula.rtf.nefilim")) returned 1 [0047.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.109] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.109] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.110] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.110] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.110] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.110] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.110] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.110] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.110] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=80970) returned 1 [0047.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.110] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.111] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.111] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.111] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.111] GetTickCount () returned 0x114d439 [0047.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.111] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.111] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13c4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.111] SetLastError (dwErrCode=0x0) [0047.111] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.113] GetLastError () returned 0x0 [0047.113] GetLastError () returned 0x0 [0047.113] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13d4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.113] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.114] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13e4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.114] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17135451, dwHighDateTime=0x1d5f971)) [0047.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.114] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.114] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.114] GetProcessHeap () returned 0xbc0000 [0047.114] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13c4a) returned 0xbea5f8 [0047.114] GetSystemDefaultLangID () returned 0xbd0409 [0047.114] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.114] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0x13c4a, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0x13c4a, lpOverlapped=0x0) returned 1 [0047.119] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.119] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0x13c4a, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0x13c4a, lpOverlapped=0x0) returned 1 [0047.120] GetProcessHeap () returned 0xbc0000 [0047.120] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.120] CloseHandle (hObject=0x264) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.122] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.122] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1029\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1029\\localizeddata.xml.nefilim")) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.122] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.122] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.123] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.123] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.123] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.123] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.123] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.123] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.124] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0047.124] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.124] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.124] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.124] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1030", cAlternateFileName="")) returned 1 [0047.124] lstrcmpiW (lpString1="1030", lpString2=".") returned 1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="..") returned 1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="...") returned 1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="windows") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="$RECYCLE.BIN") returned 1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="rsa") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="NTDETECT.COM") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="ntldr") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="MSDOS.SYS") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="IO.SYS") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="boot.ini") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="AUTOEXEC.BAT") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="ntuser.dat") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="desktop.ini") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="CONFIG.SYS") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="RECYCLER") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="BOOTSECT.BAK") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="bootmgr") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="programdata") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="appdata") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="program files") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="program files (x86)") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="microsoft") returned -1 [0047.124] lstrcmpiW (lpString1="1030", lpString2="sophos") returned -1 [0047.124] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.124] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.124] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.124] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.125] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.125] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1030\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0047.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.169] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.177] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xcf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.178] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.179] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.180] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.180] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.180] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.180] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.180] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.186] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.194] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.194] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.194] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.205] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.205] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.205] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.205] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.206] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.206] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.206] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.207] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.207] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.207] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.208] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3314) returned 1 [0047.208] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.208] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.208] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.208] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.208] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.208] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.208] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.212] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.216] GetTickCount () returned 0x114d497 [0047.216] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.216] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xcf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.216] SetLastError (dwErrCode=0x0) [0047.216] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.228] GetLastError () returned 0x0 [0047.228] GetLastError () returned 0x0 [0047.228] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdf2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.228] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.228] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.228] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x172400fa, dwHighDateTime=0x1d5f971)) [0047.228] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.228] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.228] GetProcessHeap () returned 0xbc0000 [0047.228] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xcf2) returned 0xbea5f8 [0047.228] GetSystemDefaultLangID () returned 0xbd0409 [0047.228] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.228] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0xcf2, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0xcf2, lpOverlapped=0x0) returned 1 [0047.229] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.229] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0xcf2, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0xcf2, lpOverlapped=0x0) returned 1 [0047.229] GetProcessHeap () returned 0xbc0000 [0047.229] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.229] CloseHandle (hObject=0x264) returned 1 [0047.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.230] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.230] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1030\\eula.rtf.nefilim")) returned 1 [0047.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.232] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12fb4, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.232] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.233] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.233] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.233] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.233] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.233] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=77748) returned 1 [0047.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.233] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.233] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.233] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.234] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.234] GetTickCount () returned 0x114d4a7 [0047.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.234] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12fb4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.234] SetLastError (dwErrCode=0x0) [0047.234] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.237] GetLastError () returned 0x0 [0047.237] GetLastError () returned 0x0 [0047.237] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x130b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.237] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.237] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x131b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.237] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17266359, dwHighDateTime=0x1d5f971)) [0047.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.237] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.237] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.237] GetProcessHeap () returned 0xbc0000 [0047.237] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12fb4) returned 0xbea5f8 [0047.237] GetSystemDefaultLangID () returned 0xbd0409 [0047.237] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.237] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0x12fb4, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0x12fb4, lpOverlapped=0x0) returned 1 [0047.246] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.246] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0x12fb4, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0x12fb4, lpOverlapped=0x0) returned 1 [0047.247] GetProcessHeap () returned 0xbc0000 [0047.247] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.247] CloseHandle (hObject=0x264) returned 1 [0047.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.249] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.249] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1030\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1030\\localizeddata.xml.nefilim")) returned 1 [0047.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.249] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.249] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.250] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.250] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.250] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.250] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.250] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0047.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.250] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1031", cAlternateFileName="")) returned 1 [0047.250] lstrcmpiW (lpString1="1031", lpString2=".") returned 1 [0047.250] lstrcmpiW (lpString1="1031", lpString2="..") returned 1 [0047.250] lstrcmpiW (lpString1="1031", lpString2="...") returned 1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="windows") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="$RECYCLE.BIN") returned 1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="rsa") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="NTDETECT.COM") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="ntldr") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="MSDOS.SYS") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="IO.SYS") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="boot.ini") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="AUTOEXEC.BAT") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="ntuser.dat") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="desktop.ini") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="CONFIG.SYS") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="RECYCLER") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="BOOTSECT.BAK") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="bootmgr") returned -1 [0047.251] lstrcmpiW (lpString1="1031", lpString2="programdata") returned -1 [0047.252] lstrcmpiW (lpString1="1031", lpString2="appdata") returned -1 [0047.252] lstrcmpiW (lpString1="1031", lpString2="program files") returned -1 [0047.252] lstrcmpiW (lpString1="1031", lpString2="program files (x86)") returned -1 [0047.252] lstrcmpiW (lpString1="1031", lpString2="microsoft") returned -1 [0047.252] lstrcmpiW (lpString1="1031", lpString2="sophos") returned -1 [0047.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.252] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.252] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1031\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0047.252] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.252] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.253] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.253] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.253] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd5b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.253] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.253] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.253] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.253] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.253] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.253] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.253] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.253] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.253] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.254] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.254] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.254] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.254] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3419) returned 1 [0047.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.254] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.254] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.254] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.255] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.256] GetTickCount () returned 0x114d4c6 [0047.256] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.256] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.256] SetLastError (dwErrCode=0x0) [0047.256] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.258] GetLastError () returned 0x0 [0047.258] GetLastError () returned 0x0 [0047.258] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.258] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.258] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf5b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.258] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1728c73f, dwHighDateTime=0x1d5f971)) [0047.258] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.258] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.258] GetProcessHeap () returned 0xbc0000 [0047.258] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd5b) returned 0xbea5f8 [0047.258] GetSystemDefaultLangID () returned 0xbd0409 [0047.258] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.258] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0xd5b, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0xd5b, lpOverlapped=0x0) returned 1 [0047.259] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.259] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0xd5b, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0xd5b, lpOverlapped=0x0) returned 1 [0047.259] GetProcessHeap () returned 0xbc0000 [0047.259] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.259] CloseHandle (hObject=0x264) returned 1 [0047.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.260] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1031\\eula.rtf.nefilim")) returned 1 [0047.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.354] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.354] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.354] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.355] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.355] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.355] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.356] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.356] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.356] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.356] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=82346) returned 1 [0047.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.356] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.356] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.357] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.357] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.357] GetTickCount () returned 0x114d524 [0047.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.357] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x141aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.357] SetLastError (dwErrCode=0x0) [0047.357] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.359] GetLastError () returned 0x0 [0047.359] GetLastError () returned 0x0 [0047.360] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x142aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.360] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.360] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x143aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.360] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1737141a, dwHighDateTime=0x1d5f971)) [0047.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.360] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.360] GetProcessHeap () returned 0xbc0000 [0047.360] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x141aa) returned 0xbea5f8 [0047.360] GetSystemDefaultLangID () returned 0xbd0409 [0047.360] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.360] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0x141aa, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0x141aa, lpOverlapped=0x0) returned 1 [0047.369] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.369] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0x141aa, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0x141aa, lpOverlapped=0x0) returned 1 [0047.369] GetProcessHeap () returned 0xbc0000 [0047.369] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.369] CloseHandle (hObject=0x264) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.372] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1031\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1031\\localizeddata.xml.nefilim")) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.372] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.373] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.373] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.373] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.373] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.374] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.374] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0047.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.374] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1032", cAlternateFileName="")) returned 1 [0047.374] lstrcmpiW (lpString1="1032", lpString2=".") returned 1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="..") returned 1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="...") returned 1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="windows") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="$RECYCLE.BIN") returned 1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="rsa") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="NTDETECT.COM") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="ntldr") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="MSDOS.SYS") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="IO.SYS") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="boot.ini") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="AUTOEXEC.BAT") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="ntuser.dat") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="desktop.ini") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="CONFIG.SYS") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="RECYCLER") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="BOOTSECT.BAK") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="bootmgr") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="programdata") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="appdata") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="program files") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="program files (x86)") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="microsoft") returned -1 [0047.374] lstrcmpiW (lpString1="1032", lpString2="sophos") returned -1 [0047.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.375] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1032\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0047.377] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.377] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.377] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x22ac, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.377] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.378] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.378] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.378] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.378] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.379] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.379] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.379] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.379] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=8876) returned 1 [0047.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.379] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.379] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.379] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.380] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.381] GetTickCount () returned 0x114d543 [0047.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.381] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x22ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.381] SetLastError (dwErrCode=0x0) [0047.381] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.383] GetLastError () returned 0x0 [0047.383] GetLastError () returned 0x0 [0047.383] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x23ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.383] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.383] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x24ac, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.383] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x173bd95c, dwHighDateTime=0x1d5f971)) [0047.383] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.383] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.383] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.383] GetProcessHeap () returned 0xbc0000 [0047.383] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x22ac) returned 0xbea5f8 [0047.383] GetSystemDefaultLangID () returned 0xbd0409 [0047.383] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.384] ReadFile (in: hFile=0x264, lpBuffer=0xbea5f8, nNumberOfBytesToRead=0x22ac, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesRead=0x25bee3c*=0x22ac, lpOverlapped=0x0) returned 1 [0047.385] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.385] WriteFile (in: hFile=0x264, lpBuffer=0xbea5f8*, nNumberOfBytesToWrite=0x22ac, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbea5f8*, lpNumberOfBytesWritten=0x25bee30*=0x22ac, lpOverlapped=0x0) returned 1 [0047.385] GetProcessHeap () returned 0xbc0000 [0047.385] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbea5f8 | out: hHeap=0xbc0000) returned 1 [0047.385] CloseHandle (hObject=0x264) returned 1 [0047.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.386] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.386] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1032\\eula.rtf.nefilim")) returned 1 [0047.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.396] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1510c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.396] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.397] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.397] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.397] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.398] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.398] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=86284) returned 1 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.398] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.398] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.398] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.398] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.398] GetTickCount () returned 0x114d552 [0047.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.399] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1510c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.399] SetLastError (dwErrCode=0x0) [0047.399] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.402] GetLastError () returned 0x0 [0047.402] GetLastError () returned 0x0 [0047.402] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1520c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.402] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.402] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1530c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.402] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x173e3b60, dwHighDateTime=0x1d5f971)) [0047.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.402] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.402] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.402] GetProcessHeap () returned 0xbc0000 [0047.402] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1510c) returned 0xbeae00 [0047.402] GetSystemDefaultLangID () returned 0xbd0409 [0047.402] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.402] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x1510c, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x1510c, lpOverlapped=0x0) returned 1 [0047.410] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.410] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x1510c, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x1510c, lpOverlapped=0x0) returned 1 [0047.410] GetProcessHeap () returned 0xbc0000 [0047.410] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.410] CloseHandle (hObject=0x264) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.415] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1032\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1032\\localizeddata.xml.nefilim")) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.415] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.415] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.416] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.416] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.416] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.416] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.416] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0047.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.417] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1033", cAlternateFileName="")) returned 1 [0047.417] lstrcmpiW (lpString1="1033", lpString2=".") returned 1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="..") returned 1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="...") returned 1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="windows") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="$RECYCLE.BIN") returned 1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="rsa") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="NTDETECT.COM") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="ntldr") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="MSDOS.SYS") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="IO.SYS") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="boot.ini") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="AUTOEXEC.BAT") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="ntuser.dat") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="desktop.ini") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="CONFIG.SYS") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="RECYCLER") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="BOOTSECT.BAK") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="bootmgr") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="programdata") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="appdata") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="program files") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="program files (x86)") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="microsoft") returned -1 [0047.417] lstrcmpiW (lpString1="1033", lpString2="sophos") returned -1 [0047.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.417] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1033\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0047.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.420] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.420] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd723cc00, ftCreationTime.dwHighDateTime=0x1cabb47, ftLastAccessTime.dwLowDateTime=0xd723cc00, ftLastAccessTime.dwHighDateTime=0x1cabb47, ftLastWriteTime.dwLowDateTime=0xd723cc00, ftLastWriteTime.dwHighDateTime=0x1cabb47, nFileSizeHigh=0x0, nFileSizeLow=0xc74, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.420] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.421] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.421] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.421] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.421] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.421] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.421] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.421] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3188) returned 1 [0047.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.422] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.422] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.422] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.422] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.422] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.422] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.423] GetTickCount () returned 0x114d572 [0047.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.424] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xc74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.424] SetLastError (dwErrCode=0x0) [0047.424] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.428] GetLastError () returned 0x0 [0047.428] GetLastError () returned 0x0 [0047.428] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.428] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.428] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe74, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.428] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1743002e, dwHighDateTime=0x1d5f971)) [0047.428] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.428] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.428] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.428] GetProcessHeap () returned 0xbc0000 [0047.428] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xc74) returned 0xbeae00 [0047.428] GetSystemDefaultLangID () returned 0xbd0409 [0047.428] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.428] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xc74, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xc74, lpOverlapped=0x0) returned 1 [0047.428] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.428] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xc74, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xc74, lpOverlapped=0x0) returned 1 [0047.428] GetProcessHeap () returned 0xbc0000 [0047.428] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.428] CloseHandle (hObject=0x264) returned 1 [0047.429] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.429] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.429] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.429] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.429] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1033\\eula.rtf.nefilim")) returned 1 [0047.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.432] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x47ad1a00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x47ad1a00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x47ad1a00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12db0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.432] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.433] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.433] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.433] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.433] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.434] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=77232) returned 1 [0047.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.435] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.435] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.435] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.435] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.435] GetTickCount () returned 0x114d572 [0047.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.435] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.435] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.435] SetLastError (dwErrCode=0x0) [0047.435] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.437] GetLastError () returned 0x0 [0047.437] GetLastError () returned 0x0 [0047.437] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.438] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.438] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.438] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1743002e, dwHighDateTime=0x1d5f971)) [0047.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.438] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.438] GetProcessHeap () returned 0xbc0000 [0047.438] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12db0) returned 0xbeae00 [0047.438] GetSystemDefaultLangID () returned 0xbd0409 [0047.438] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.438] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x12db0, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x12db0, lpOverlapped=0x0) returned 1 [0047.538] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.538] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x12db0, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x12db0, lpOverlapped=0x0) returned 1 [0047.538] GetProcessHeap () returned 0xbc0000 [0047.539] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.539] CloseHandle (hObject=0x264) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.541] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1033\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1033\\localizeddata.xml.nefilim")) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.541] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.541] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.541] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.541] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.541] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.542] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.542] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.542] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.542] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.542] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.542] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4358, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.543] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0047.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.543] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1035", cAlternateFileName="")) returned 1 [0047.543] lstrcmpiW (lpString1="1035", lpString2=".") returned 1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="..") returned 1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="...") returned 1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="windows") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="$RECYCLE.BIN") returned 1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="rsa") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="NTDETECT.COM") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="ntldr") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="MSDOS.SYS") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="IO.SYS") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="boot.ini") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="AUTOEXEC.BAT") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="ntuser.dat") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="desktop.ini") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="CONFIG.SYS") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="RECYCLER") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="BOOTSECT.BAK") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="bootmgr") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="programdata") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="appdata") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="program files") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="program files (x86)") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="microsoft") returned -1 [0047.543] lstrcmpiW (lpString1="1035", lpString2="sophos") returned -1 [0047.543] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.543] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.543] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.544] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.544] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1035\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0047.544] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.544] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.544] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.544] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.544] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe76, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.544] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.545] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.545] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.545] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.545] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.545] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.545] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.545] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.545] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3702) returned 1 [0047.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.545] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.545] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.546] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.546] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.549] GetTickCount () returned 0x114d5ef [0047.549] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.549] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.549] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.549] SetLastError (dwErrCode=0x0) [0047.549] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.551] GetLastError () returned 0x0 [0047.551] GetLastError () returned 0x0 [0047.551] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf76, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.551] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.551] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1076, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.551] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17561351, dwHighDateTime=0x1d5f971)) [0047.551] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.551] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.551] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.551] GetProcessHeap () returned 0xbc0000 [0047.552] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe76) returned 0xbeae00 [0047.552] GetSystemDefaultLangID () returned 0xbd0409 [0047.552] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.552] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xe76, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xe76, lpOverlapped=0x0) returned 1 [0047.552] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.552] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xe76, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xe76, lpOverlapped=0x0) returned 1 [0047.552] GetProcessHeap () returned 0xbc0000 [0047.552] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.552] CloseHandle (hObject=0x264) returned 1 [0047.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.553] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.553] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1035\\eula.rtf.nefilim")) returned 1 [0047.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.555] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12cde, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.555] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.555] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.555] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.555] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.555] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.556] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.556] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.556] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.556] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.556] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.557] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.557] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.557] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.557] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=77022) returned 1 [0047.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.557] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.557] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.557] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.558] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.558] GetTickCount () returned 0x114d5ef [0047.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.558] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.558] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12cde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.558] SetLastError (dwErrCode=0x0) [0047.558] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.560] GetLastError () returned 0x0 [0047.560] GetLastError () returned 0x0 [0047.560] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12dde, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.560] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.560] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12ede, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.560] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17561351, dwHighDateTime=0x1d5f971)) [0047.560] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.560] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.560] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.560] GetProcessHeap () returned 0xbc0000 [0047.560] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12cde) returned 0xbeae00 [0047.560] GetSystemDefaultLangID () returned 0xbd0409 [0047.560] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.560] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x12cde, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x12cde, lpOverlapped=0x0) returned 1 [0047.565] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.565] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x12cde, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x12cde, lpOverlapped=0x0) returned 1 [0047.566] GetProcessHeap () returned 0xbc0000 [0047.566] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.566] CloseHandle (hObject=0x264) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.568] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.568] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1035\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1035\\localizeddata.xml.nefilim")) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.568] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.569] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.569] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.569] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.569] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.570] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0047.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.570] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1036", cAlternateFileName="")) returned 1 [0047.570] lstrcmpiW (lpString1="1036", lpString2=".") returned 1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="..") returned 1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="...") returned 1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="windows") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="$RECYCLE.BIN") returned 1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="rsa") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="NTDETECT.COM") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="ntldr") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="MSDOS.SYS") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="IO.SYS") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="boot.ini") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="AUTOEXEC.BAT") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="ntuser.dat") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="desktop.ini") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="CONFIG.SYS") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="RECYCLER") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="BOOTSECT.BAK") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="bootmgr") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="programdata") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="appdata") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="program files") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="program files (x86)") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="microsoft") returned -1 [0047.570] lstrcmpiW (lpString1="1036", lpString2="sophos") returned -1 [0047.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.571] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1036\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0047.602] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.602] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.602] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.602] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.602] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdc6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.602] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.602] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.602] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.602] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.603] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.603] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.603] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.603] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.603] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.604] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.604] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.604] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.604] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.604] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.604] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3526) returned 1 [0047.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.604] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.604] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.604] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.605] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.606] GetTickCount () returned 0x114d61e [0047.606] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.606] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.606] SetLastError (dwErrCode=0x0) [0047.606] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.608] GetLastError () returned 0x0 [0047.608] GetLastError () returned 0x0 [0047.609] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xec6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.609] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.609] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.609] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x175d39b1, dwHighDateTime=0x1d5f971)) [0047.609] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.609] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.609] GetProcessHeap () returned 0xbc0000 [0047.609] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xdc6) returned 0xbeae00 [0047.609] GetSystemDefaultLangID () returned 0xbd0409 [0047.609] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.609] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xdc6, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xdc6, lpOverlapped=0x0) returned 1 [0047.609] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.609] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xdc6, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xdc6, lpOverlapped=0x0) returned 1 [0047.609] GetProcessHeap () returned 0xbc0000 [0047.609] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.609] CloseHandle (hObject=0x264) returned 1 [0047.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.611] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.611] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1036\\eula.rtf.nefilim")) returned 1 [0047.613] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.613] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.613] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x14412, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.613] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.613] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.613] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.613] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.613] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.613] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.613] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.613] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.614] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.614] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.614] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.614] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=82962) returned 1 [0047.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.614] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.614] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.614] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.615] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.616] GetTickCount () returned 0x114d62d [0047.616] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.616] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14412, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.616] SetLastError (dwErrCode=0x0) [0047.616] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.618] GetLastError () returned 0x0 [0047.618] GetLastError () returned 0x0 [0047.618] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14512, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.618] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.618] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x14612, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.618] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x175f9efb, dwHighDateTime=0x1d5f971)) [0047.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0047.618] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0047.618] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.618] GetProcessHeap () returned 0xbc0000 [0047.618] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14412) returned 0xbeae00 [0047.618] GetSystemDefaultLangID () returned 0xbd0409 [0047.618] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.618] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x14412, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x14412, lpOverlapped=0x0) returned 1 [0047.624] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.624] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x14412, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x14412, lpOverlapped=0x0) returned 1 [0047.624] GetProcessHeap () returned 0xbc0000 [0047.624] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.624] CloseHandle (hObject=0x264) returned 1 [0047.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0047.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0047.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0047.626] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1036\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1036\\localizeddata.xml.nefilim")) returned 1 [0047.627] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.627] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.627] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0047.627] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0047.628] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0047.628] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0047.628] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0047.628] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0047.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.628] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0047.628] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0047.628] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0047.628] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0047.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0047.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0047.628] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1037", cAlternateFileName="")) returned 1 [0047.628] lstrcmpiW (lpString1="1037", lpString2=".") returned 1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="..") returned 1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="...") returned 1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="windows") returned -1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="$RECYCLE.BIN") returned 1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="rsa") returned -1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="NTDETECT.COM") returned -1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="ntldr") returned -1 [0047.628] lstrcmpiW (lpString1="1037", lpString2="MSDOS.SYS") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="IO.SYS") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="boot.ini") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="AUTOEXEC.BAT") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="ntuser.dat") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="desktop.ini") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="CONFIG.SYS") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="RECYCLER") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="BOOTSECT.BAK") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="bootmgr") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="programdata") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="appdata") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="program files") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="program files (x86)") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="microsoft") returned -1 [0047.629] lstrcmpiW (lpString1="1037", lpString2="sophos") returned -1 [0047.629] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0047.629] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0047.629] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0047.629] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0047.629] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.629] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1037\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2648 [0047.629] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0047.629] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0047.629] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0047.629] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0047.629] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x1ac3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0047.630] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0047.630] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0047.630] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.630] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0047.630] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0047.631] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0047.631] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.631] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0047.631] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.631] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=6851) returned 1 [0047.631] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0047.631] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0047.631] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0047.631] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0047.631] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.631] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.631] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.632] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.633] GetTickCount () returned 0x114d63d [0047.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0047.633] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.633] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1ac3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.633] SetLastError (dwErrCode=0x0) [0047.633] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.634] GetLastError () returned 0x0 [0047.634] GetLastError () returned 0x0 [0047.635] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1bc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.635] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0047.635] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1cc3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.635] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1761ffe2, dwHighDateTime=0x1d5f971)) [0047.635] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0047.635] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0047.635] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0047.635] GetProcessHeap () returned 0xbc0000 [0047.635] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1ac3) returned 0xbeae00 [0047.635] GetSystemDefaultLangID () returned 0xbd0409 [0047.635] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.635] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x1ac3, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x1ac3, lpOverlapped=0x0) returned 1 [0047.636] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.636] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x1ac3, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x1ac3, lpOverlapped=0x0) returned 1 [0047.636] GetProcessHeap () returned 0xbc0000 [0047.636] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0047.636] CloseHandle (hObject=0x264) returned 1 [0047.637] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.637] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0047.637] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0047.637] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0047.637] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0047.637] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1037\\eula.rtf.nefilim")) returned 1 [0047.677] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0047.677] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0047.677] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1198c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0047.677] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0047.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0047.678] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0047.678] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0047.678] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0047.678] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0047.678] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0047.678] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0047.679] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=72076) returned 1 [0047.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0047.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0047.679] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0047.679] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0047.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0047.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0047.679] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0047.680] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0047.680] GetTickCount () returned 0x114d66c [0047.680] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0047.680] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0047.680] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1198c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0047.680] SetLastError (dwErrCode=0x0) [0047.680] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.101] GetLastError () returned 0x0 [0048.101] GetLastError () returned 0x0 [0048.101] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11a8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.101] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.101] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11b8c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.101] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17a9859d, dwHighDateTime=0x1d5f971)) [0048.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.101] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.101] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.101] GetProcessHeap () returned 0xbc0000 [0048.101] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1198c) returned 0xbeae00 [0048.101] GetSystemDefaultLangID () returned 0xbd0409 [0048.101] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.102] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x1198c, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x1198c, lpOverlapped=0x0) returned 1 [0048.141] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.141] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x1198c, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x1198c, lpOverlapped=0x0) returned 1 [0048.141] GetProcessHeap () returned 0xbc0000 [0048.141] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.141] CloseHandle (hObject=0x264) returned 1 [0048.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.195] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1037\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1037\\localizeddata.xml.nefilim")) returned 1 [0048.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.211] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.212] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.212] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.212] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.212] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.213] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.213] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4158, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.213] FindClose (in: hFindFile=0xbe2648 | out: hFindFile=0xbe2648) returned 1 [0048.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.213] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1038", cAlternateFileName="")) returned 1 [0048.213] lstrcmpiW (lpString1="1038", lpString2=".") returned 1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="..") returned 1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="...") returned 1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="windows") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="$RECYCLE.BIN") returned 1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="rsa") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="NTDETECT.COM") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="ntldr") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="MSDOS.SYS") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="IO.SYS") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="boot.ini") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="AUTOEXEC.BAT") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="ntuser.dat") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="desktop.ini") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="CONFIG.SYS") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="RECYCLER") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="BOOTSECT.BAK") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="bootmgr") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="programdata") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="appdata") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="program files") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="program files (x86)") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="microsoft") returned -1 [0048.213] lstrcmpiW (lpString1="1038", lpString2="sophos") returned -1 [0048.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.214] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1038\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a08 [0048.214] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.214] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.214] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.214] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.214] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x109e, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.214] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.215] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.215] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.215] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.215] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.215] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.215] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.215] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.215] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.215] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.215] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=4254) returned 1 [0048.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.216] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.216] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.216] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.216] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.216] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.217] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.218] GetTickCount () returned 0x114d87f [0048.218] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.218] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.218] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x109e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.218] SetLastError (dwErrCode=0x0) [0048.218] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.243] GetLastError () returned 0x0 [0048.243] GetLastError () returned 0x0 [0048.243] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x119e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.243] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.243] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x129e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.243] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17bef9f9, dwHighDateTime=0x1d5f971)) [0048.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.244] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.244] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.244] GetProcessHeap () returned 0xbc0000 [0048.244] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x109e) returned 0xbeae00 [0048.244] GetSystemDefaultLangID () returned 0xbd0409 [0048.244] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.244] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x109e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x109e, lpOverlapped=0x0) returned 1 [0048.245] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.245] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x109e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x109e, lpOverlapped=0x0) returned 1 [0048.245] GetProcessHeap () returned 0xbc0000 [0048.245] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.245] CloseHandle (hObject=0x264) returned 1 [0048.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.246] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1038\\eula.rtf.nefilim")) returned 1 [0048.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.250] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x151aa, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.250] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.251] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.251] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.251] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.251] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.251] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.251] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.251] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.251] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.252] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.252] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=86442) returned 1 [0048.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.252] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.252] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.252] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.252] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.252] GetTickCount () returned 0x114d8ae [0048.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.253] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.253] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x151aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.253] SetLastError (dwErrCode=0x0) [0048.253] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.255] GetLastError () returned 0x0 [0048.255] GetLastError () returned 0x0 [0048.255] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x152aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.255] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.255] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x153aa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.255] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17c15d71, dwHighDateTime=0x1d5f971)) [0048.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.255] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.255] GetProcessHeap () returned 0xbc0000 [0048.255] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x151aa) returned 0xbeae00 [0048.255] GetSystemDefaultLangID () returned 0xbd0409 [0048.255] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.255] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x151aa, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x151aa, lpOverlapped=0x0) returned 1 [0048.262] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.262] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x151aa, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x151aa, lpOverlapped=0x0) returned 1 [0048.262] GetProcessHeap () returned 0xbc0000 [0048.262] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.262] CloseHandle (hObject=0x264) returned 1 [0048.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.265] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1038\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1038\\localizeddata.xml.nefilim")) returned 1 [0048.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.265] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.265] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.266] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.266] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.266] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.266] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.266] FindClose (in: hFindFile=0xbe2a08 | out: hFindFile=0xbe2a08) returned 1 [0048.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.266] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1040", cAlternateFileName="")) returned 1 [0048.266] lstrcmpiW (lpString1="1040", lpString2=".") returned 1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="..") returned 1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="...") returned 1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="windows") returned -1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="$RECYCLE.BIN") returned 1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="rsa") returned -1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="NTDETECT.COM") returned -1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="ntldr") returned -1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="MSDOS.SYS") returned -1 [0048.266] lstrcmpiW (lpString1="1040", lpString2="IO.SYS") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="boot.ini") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="AUTOEXEC.BAT") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="ntuser.dat") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="desktop.ini") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="CONFIG.SYS") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="RECYCLER") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="BOOTSECT.BAK") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="bootmgr") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="programdata") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="appdata") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="program files") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="program files (x86)") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="microsoft") returned -1 [0048.267] lstrcmpiW (lpString1="1040", lpString2="sophos") returned -1 [0048.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.267] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.267] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1040\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a88 [0048.268] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.268] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.268] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.268] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.268] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe3b, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.269] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.269] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.269] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.269] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.269] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.270] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.270] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.270] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.270] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.271] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3643) returned 1 [0048.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.271] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.271] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.271] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.272] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.273] GetTickCount () returned 0x114d8bd [0048.273] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.273] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.273] SetLastError (dwErrCode=0x0) [0048.273] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.278] GetLastError () returned 0x0 [0048.278] GetLastError () returned 0x0 [0048.278] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.278] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.278] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x103b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.278] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17c3c014, dwHighDateTime=0x1d5f971)) [0048.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.278] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.278] GetProcessHeap () returned 0xbc0000 [0048.278] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe3b) returned 0xbeae00 [0048.278] GetSystemDefaultLangID () returned 0xbd0409 [0048.278] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.278] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xe3b, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xe3b, lpOverlapped=0x0) returned 1 [0048.278] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.278] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xe3b, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xe3b, lpOverlapped=0x0) returned 1 [0048.279] GetProcessHeap () returned 0xbc0000 [0048.279] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.279] CloseHandle (hObject=0x264) returned 1 [0048.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.279] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1040\\eula.rtf.nefilim")) returned 1 [0048.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.281] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x138bc, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.281] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.282] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.282] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.282] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.283] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.283] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.283] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.283] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=80060) returned 1 [0048.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.283] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.283] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.284] GetTickCount () returned 0x114d8cd [0048.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.284] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.284] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x138bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.284] SetLastError (dwErrCode=0x0) [0048.284] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.285] GetLastError () returned 0x0 [0048.285] GetLastError () returned 0x0 [0048.285] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x139bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.285] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.286] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13abc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.286] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17c621f2, dwHighDateTime=0x1d5f971)) [0048.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.286] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.286] GetProcessHeap () returned 0xbc0000 [0048.286] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x138bc) returned 0xbeae00 [0048.286] GetSystemDefaultLangID () returned 0xbd0409 [0048.286] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.286] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x138bc, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x138bc, lpOverlapped=0x0) returned 1 [0048.370] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.370] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x138bc, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x138bc, lpOverlapped=0x0) returned 1 [0048.371] GetProcessHeap () returned 0xbc0000 [0048.371] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.371] CloseHandle (hObject=0x264) returned 1 [0048.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.373] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.373] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1040\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1040\\localizeddata.xml.nefilim")) returned 1 [0048.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.374] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.374] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.375] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.375] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.375] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.375] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.375] FindClose (in: hFindFile=0xbe2a88 | out: hFindFile=0xbe2a88) returned 1 [0048.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.375] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1041", cAlternateFileName="")) returned 1 [0048.375] lstrcmpiW (lpString1="1041", lpString2=".") returned 1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="..") returned 1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="...") returned 1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="windows") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="$RECYCLE.BIN") returned 1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="rsa") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="NTDETECT.COM") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="ntldr") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="MSDOS.SYS") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="IO.SYS") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="boot.ini") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="AUTOEXEC.BAT") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="ntuser.dat") returned -1 [0048.375] lstrcmpiW (lpString1="1041", lpString2="desktop.ini") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="CONFIG.SYS") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="RECYCLER") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="BOOTSECT.BAK") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="bootmgr") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="programdata") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="appdata") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="program files") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="program files (x86)") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="microsoft") returned -1 [0048.376] lstrcmpiW (lpString1="1041", lpString2="sophos") returned -1 [0048.376] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.376] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.376] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.376] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.376] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1041\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0048.376] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.376] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.377] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.377] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.377] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x278d, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.377] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.377] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.377] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.378] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.378] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.378] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.378] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.378] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=10125) returned 1 [0048.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.378] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.379] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.379] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.380] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.380] GetTickCount () returned 0x114d92b [0048.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.380] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.380] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x278d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.381] SetLastError (dwErrCode=0x0) [0048.381] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.384] GetLastError () returned 0x0 [0048.384] GetLastError () returned 0x0 [0048.384] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x288d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.384] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.384] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x298d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.384] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17d5a07d, dwHighDateTime=0x1d5f971)) [0048.384] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.384] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.384] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.384] GetProcessHeap () returned 0xbc0000 [0048.384] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x278d) returned 0xbeae00 [0048.384] GetSystemDefaultLangID () returned 0xbd0409 [0048.384] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.384] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x278d, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x278d, lpOverlapped=0x0) returned 1 [0048.386] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.386] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x278d, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x278d, lpOverlapped=0x0) returned 1 [0048.386] GetProcessHeap () returned 0xbc0000 [0048.386] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.386] CloseHandle (hObject=0x264) returned 1 [0048.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.387] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1041\\eula.rtf.nefilim")) returned 1 [0048.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.389] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x10a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.389] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.389] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.389] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.390] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.390] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.390] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.390] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.391] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.391] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.391] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.391] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=68226) returned 1 [0048.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.391] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.391] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.392] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.392] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.392] GetTickCount () returned 0x114d93a [0048.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.392] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.392] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10a82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.392] SetLastError (dwErrCode=0x0) [0048.392] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.395] GetLastError () returned 0x0 [0048.395] GetLastError () returned 0x0 [0048.395] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10b82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.395] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.395] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.395] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17d73a21, dwHighDateTime=0x1d5f971)) [0048.395] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.395] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.396] GetProcessHeap () returned 0xbc0000 [0048.396] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10a82) returned 0xbeae00 [0048.396] GetSystemDefaultLangID () returned 0xbd0409 [0048.396] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.396] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x10a82, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x10a82, lpOverlapped=0x0) returned 1 [0048.402] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.402] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x10a82, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x10a82, lpOverlapped=0x0) returned 1 [0048.403] GetProcessHeap () returned 0xbc0000 [0048.403] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.403] CloseHandle (hObject=0x264) returned 1 [0048.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.408] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1041\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1041\\localizeddata.xml.nefilim")) returned 1 [0048.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.409] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.409] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.410] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.410] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.410] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.410] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.410] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.410] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.410] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3d58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.446] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0048.446] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.446] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.446] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.446] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1042", cAlternateFileName="")) returned 1 [0048.446] lstrcmpiW (lpString1="1042", lpString2=".") returned 1 [0048.446] lstrcmpiW (lpString1="1042", lpString2="..") returned 1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="...") returned 1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="windows") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="$RECYCLE.BIN") returned 1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="rsa") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="NTDETECT.COM") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="ntldr") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="MSDOS.SYS") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="IO.SYS") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="boot.ini") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="AUTOEXEC.BAT") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="ntuser.dat") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="desktop.ini") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="CONFIG.SYS") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="RECYCLER") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="BOOTSECT.BAK") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="bootmgr") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="programdata") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="appdata") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="program files") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="program files (x86)") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="microsoft") returned -1 [0048.447] lstrcmpiW (lpString1="1042", lpString2="sophos") returned -1 [0048.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.447] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1042\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0048.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.448] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf371c69a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.448] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x318f, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.448] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.448] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.448] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.448] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.448] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.448] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.449] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.449] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.449] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.449] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=12687) returned 1 [0048.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.449] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.449] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.449] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.450] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.451] GetTickCount () returned 0x114d969 [0048.451] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.451] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x318f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.451] SetLastError (dwErrCode=0x0) [0048.451] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.453] GetLastError () returned 0x0 [0048.453] GetLastError () returned 0x0 [0048.453] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x328f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.453] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.453] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x338f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.453] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17de62f6, dwHighDateTime=0x1d5f971)) [0048.453] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.453] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.453] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.453] GetProcessHeap () returned 0xbc0000 [0048.453] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x318f) returned 0xbeae00 [0048.453] GetSystemDefaultLangID () returned 0xbd0409 [0048.453] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.453] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x318f, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x318f, lpOverlapped=0x0) returned 1 [0048.455] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.455] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x318f, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x318f, lpOverlapped=0x0) returned 1 [0048.455] GetProcessHeap () returned 0xbc0000 [0048.455] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.455] CloseHandle (hObject=0x264) returned 1 [0048.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.457] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.457] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1042\\eula.rtf.nefilim")) returned 1 [0048.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.459] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xfed6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.459] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.460] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.460] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.460] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.460] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.461] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.461] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.461] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.461] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.461] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=65238) returned 1 [0048.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.461] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.461] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.461] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.462] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.462] GetTickCount () returned 0x114d979 [0048.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.462] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.462] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfed6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.462] SetLastError (dwErrCode=0x0) [0048.462] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.464] GetLastError () returned 0x0 [0048.464] GetLastError () returned 0x0 [0048.464] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xffd6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.464] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.464] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x100d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.465] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17e0c566, dwHighDateTime=0x1d5f971)) [0048.465] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.465] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.465] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.465] GetProcessHeap () returned 0xbc0000 [0048.465] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfed6) returned 0xbeae00 [0048.465] GetSystemDefaultLangID () returned 0xbd0409 [0048.465] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.465] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xfed6, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xfed6, lpOverlapped=0x0) returned 1 [0048.470] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.470] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xfed6, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xfed6, lpOverlapped=0x0) returned 1 [0048.470] GetProcessHeap () returned 0xbc0000 [0048.470] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.470] CloseHandle (hObject=0x264) returned 1 [0048.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.472] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.472] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1042\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1042\\localizeddata.xml.nefilim")) returned 1 [0048.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.473] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.473] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.474] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.474] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.474] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.474] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.474] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.474] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.474] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.474] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.474] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0048.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.474] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1043", cAlternateFileName="")) returned 1 [0048.474] lstrcmpiW (lpString1="1043", lpString2=".") returned 1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="..") returned 1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="...") returned 1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="windows") returned -1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="$RECYCLE.BIN") returned 1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="rsa") returned -1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="NTDETECT.COM") returned -1 [0048.474] lstrcmpiW (lpString1="1043", lpString2="ntldr") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="MSDOS.SYS") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="IO.SYS") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="boot.ini") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="AUTOEXEC.BAT") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="ntuser.dat") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="desktop.ini") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="CONFIG.SYS") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="RECYCLER") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="BOOTSECT.BAK") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="bootmgr") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="programdata") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="appdata") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="program files") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="program files (x86)") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="microsoft") returned -1 [0048.475] lstrcmpiW (lpString1="1043", lpString2="sophos") returned -1 [0048.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.475] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1043\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0048.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.475] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.475] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xdda, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.476] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.476] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.476] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.476] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.477] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.477] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.477] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.477] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.484] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3546) returned 1 [0048.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.484] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.484] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.484] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.485] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.486] GetTickCount () returned 0x114d989 [0048.486] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.486] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.486] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.486] SetLastError (dwErrCode=0x0) [0048.486] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.499] GetLastError () returned 0x0 [0048.499] GetLastError () returned 0x0 [0048.499] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xeda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.499] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.499] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfda, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.499] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17e589e1, dwHighDateTime=0x1d5f971)) [0048.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.499] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.499] GetProcessHeap () returned 0xbc0000 [0048.499] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xdda) returned 0xbeae00 [0048.500] GetSystemDefaultLangID () returned 0xbd0409 [0048.500] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.500] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xdda, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xdda, lpOverlapped=0x0) returned 1 [0048.500] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.500] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xdda, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xdda, lpOverlapped=0x0) returned 1 [0048.500] GetProcessHeap () returned 0xbc0000 [0048.500] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.500] CloseHandle (hObject=0x264) returned 1 [0048.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.501] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1043\\eula.rtf.nefilim")) returned 1 [0048.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.522] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13712, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.522] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.523] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.523] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.523] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.523] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.523] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.523] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.524] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.524] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=79634) returned 1 [0048.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.524] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.524] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.524] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.524] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.524] GetTickCount () returned 0x114d9b7 [0048.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.524] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.525] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13712, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.525] SetLastError (dwErrCode=0x0) [0048.525] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.526] GetLastError () returned 0x0 [0048.526] GetLastError () returned 0x0 [0048.526] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13812, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.527] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.527] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13912, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.527] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17ea4f82, dwHighDateTime=0x1d5f971)) [0048.527] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.527] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.527] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.527] GetProcessHeap () returned 0xbc0000 [0048.527] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13712) returned 0xbeae00 [0048.527] GetSystemDefaultLangID () returned 0xbd0409 [0048.527] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.527] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x13712, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x13712, lpOverlapped=0x0) returned 1 [0048.532] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.532] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x13712, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x13712, lpOverlapped=0x0) returned 1 [0048.533] GetProcessHeap () returned 0xbc0000 [0048.533] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.533] CloseHandle (hObject=0x264) returned 1 [0048.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.535] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1043\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1043\\localizeddata.xml.nefilim")) returned 1 [0048.536] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.536] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.536] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.536] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.536] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.536] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.536] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.536] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.536] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.536] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.537] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.537] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.537] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.537] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.537] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.537] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4b58, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.537] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0048.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.537] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1044", cAlternateFileName="")) returned 1 [0048.537] lstrcmpiW (lpString1="1044", lpString2=".") returned 1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="..") returned 1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="...") returned 1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="windows") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="$RECYCLE.BIN") returned 1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="rsa") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="NTDETECT.COM") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="ntldr") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="MSDOS.SYS") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="IO.SYS") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="boot.ini") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="AUTOEXEC.BAT") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="ntuser.dat") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="desktop.ini") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="CONFIG.SYS") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="RECYCLER") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="BOOTSECT.BAK") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="bootmgr") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="programdata") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="appdata") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="program files") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="program files (x86)") returned -1 [0048.537] lstrcmpiW (lpString1="1044", lpString2="microsoft") returned -1 [0048.538] lstrcmpiW (lpString1="1044", lpString2="sophos") returned -1 [0048.538] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.538] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.538] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.538] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.538] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.538] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1044\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2708 [0048.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.538] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf37428cd, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.538] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbe6, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.538] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.539] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.539] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.539] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.540] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.540] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.540] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.540] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3046) returned 1 [0048.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.540] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.540] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.540] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.541] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.542] GetTickCount () returned 0x114d9c7 [0048.542] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.542] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.542] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xbe6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.542] SetLastError (dwErrCode=0x0) [0048.542] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.562] GetLastError () returned 0x0 [0048.562] GetLastError () returned 0x0 [0048.562] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xce6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.562] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.562] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xde6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.563] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x17ef2775, dwHighDateTime=0x1d5f971)) [0048.563] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.563] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.563] GetProcessHeap () returned 0xbc0000 [0048.563] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xbe6) returned 0xbeae00 [0048.563] GetSystemDefaultLangID () returned 0xbd0409 [0048.563] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.563] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xbe6, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xbe6, lpOverlapped=0x0) returned 1 [0048.563] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.563] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xbe6, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xbe6, lpOverlapped=0x0) returned 1 [0048.563] GetProcessHeap () returned 0xbc0000 [0048.563] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.563] CloseHandle (hObject=0x264) returned 1 [0048.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.564] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.564] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1044\\eula.rtf.nefilim")) returned 1 [0048.751] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.751] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.751] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x135c0, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.751] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.752] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.752] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.752] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.752] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.752] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.752] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.752] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.752] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.752] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.753] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.753] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.753] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.753] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=79296) returned 1 [0048.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.753] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.753] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.753] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.754] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.754] GetTickCount () returned 0x114daa2 [0048.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.754] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.754] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x135c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.755] SetLastError (dwErrCode=0x0) [0048.755] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.756] GetLastError () returned 0x0 [0048.756] GetLastError () returned 0x0 [0048.756] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x136c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.756] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.756] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x137c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.756] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x180e14b1, dwHighDateTime=0x1d5f971)) [0048.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.757] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.757] GetProcessHeap () returned 0xbc0000 [0048.757] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x135c0) returned 0xbeae00 [0048.757] GetSystemDefaultLangID () returned 0xbd0409 [0048.757] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.757] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x135c0, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x135c0, lpOverlapped=0x0) returned 1 [0048.762] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.762] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x135c0, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x135c0, lpOverlapped=0x0) returned 1 [0048.763] GetProcessHeap () returned 0xbc0000 [0048.763] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.763] CloseHandle (hObject=0x264) returned 1 [0048.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.765] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1044\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1044\\localizeddata.xml.nefilim")) returned 1 [0048.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.766] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.766] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.766] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.766] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.766] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.766] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.767] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.767] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.767] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.767] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.767] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.767] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.767] FindClose (in: hFindFile=0xbe2708 | out: hFindFile=0xbe2708) returned 1 [0048.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.767] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1045", cAlternateFileName="")) returned 1 [0048.767] lstrcmpiW (lpString1="1045", lpString2=".") returned 1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="..") returned 1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="...") returned 1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="windows") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="$RECYCLE.BIN") returned 1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="rsa") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="NTDETECT.COM") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="ntldr") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="MSDOS.SYS") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="IO.SYS") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="boot.ini") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="AUTOEXEC.BAT") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="ntuser.dat") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="desktop.ini") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="CONFIG.SYS") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="RECYCLER") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="BOOTSECT.BAK") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="bootmgr") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="programdata") returned -1 [0048.767] lstrcmpiW (lpString1="1045", lpString2="appdata") returned -1 [0048.768] lstrcmpiW (lpString1="1045", lpString2="program files") returned -1 [0048.768] lstrcmpiW (lpString1="1045", lpString2="program files (x86)") returned -1 [0048.768] lstrcmpiW (lpString1="1045", lpString2="microsoft") returned -1 [0048.768] lstrcmpiW (lpString1="1045", lpString2="sophos") returned -1 [0048.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.768] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1045\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0048.769] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.769] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.769] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.769] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.769] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfc8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.769] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.770] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.770] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.770] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.770] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.770] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.770] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.771] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.771] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.771] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.771] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=4040) returned 1 [0048.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.771] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.771] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.771] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.772] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.773] GetTickCount () returned 0x114dab1 [0048.773] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.773] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfc8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.773] SetLastError (dwErrCode=0x0) [0048.773] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.775] GetLastError () returned 0x0 [0048.775] GetLastError () returned 0x0 [0048.775] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.775] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.775] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11c8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.775] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18107702, dwHighDateTime=0x1d5f971)) [0048.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.775] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.775] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.775] GetProcessHeap () returned 0xbc0000 [0048.775] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfc8) returned 0xbeae00 [0048.775] GetSystemDefaultLangID () returned 0xbd0409 [0048.776] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.776] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xfc8, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xfc8, lpOverlapped=0x0) returned 1 [0048.776] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.776] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xfc8, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xfc8, lpOverlapped=0x0) returned 1 [0048.776] GetProcessHeap () returned 0xbc0000 [0048.776] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.776] CloseHandle (hObject=0x264) returned 1 [0048.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.777] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.777] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1045\\eula.rtf.nefilim")) returned 1 [0048.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.779] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x141c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.779] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.780] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.780] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.780] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.780] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.780] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=82374) returned 1 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.780] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.780] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.781] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.781] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.781] GetTickCount () returned 0x114dab1 [0048.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.781] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.781] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x141c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.781] SetLastError (dwErrCode=0x0) [0048.781] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.783] GetLastError () returned 0x0 [0048.783] GetLastError () returned 0x0 [0048.783] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x142c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.783] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.783] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x143c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.783] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18107702, dwHighDateTime=0x1d5f971)) [0048.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.783] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.783] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.783] GetProcessHeap () returned 0xbc0000 [0048.783] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x141c6) returned 0xbeae00 [0048.783] GetSystemDefaultLangID () returned 0xbd0409 [0048.784] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.784] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x141c6, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x141c6, lpOverlapped=0x0) returned 1 [0048.812] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.812] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x141c6, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x141c6, lpOverlapped=0x0) returned 1 [0048.812] GetProcessHeap () returned 0xbc0000 [0048.812] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.812] CloseHandle (hObject=0x264) returned 1 [0048.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.814] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.814] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1045\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1045\\localizeddata.xml.nefilim")) returned 1 [0048.816] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.816] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.816] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.816] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.817] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.817] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.818] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.818] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.818] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.818] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.818] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.818] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.818] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0048.818] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.818] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.818] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.818] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1046", cAlternateFileName="")) returned 1 [0048.818] lstrcmpiW (lpString1="1046", lpString2=".") returned 1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="..") returned 1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="...") returned 1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="windows") returned -1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="$RECYCLE.BIN") returned 1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="rsa") returned -1 [0048.818] lstrcmpiW (lpString1="1046", lpString2="NTDETECT.COM") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="ntldr") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="MSDOS.SYS") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="IO.SYS") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="boot.ini") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="AUTOEXEC.BAT") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="ntuser.dat") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="desktop.ini") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="CONFIG.SYS") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="RECYCLER") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="BOOTSECT.BAK") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="bootmgr") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="programdata") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="appdata") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="program files") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="program files (x86)") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="microsoft") returned -1 [0048.819] lstrcmpiW (lpString1="1046", lpString2="sophos") returned -1 [0048.819] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.819] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.819] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.819] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.819] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.819] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1046\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0048.820] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.820] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.820] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.820] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.820] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xe63, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.820] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.821] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.821] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.821] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.821] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.821] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.822] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.822] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.822] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3683) returned 1 [0048.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.822] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.822] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.822] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.823] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.824] GetTickCount () returned 0x114dae0 [0048.824] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.824] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.824] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xe63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.824] SetLastError (dwErrCode=0x0) [0048.824] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.825] GetLastError () returned 0x0 [0048.825] GetLastError () returned 0x0 [0048.825] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf63, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.826] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.826] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1063, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.826] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1817c5bd, dwHighDateTime=0x1d5f971)) [0048.826] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.826] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.826] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.826] GetProcessHeap () returned 0xbc0000 [0048.826] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe63) returned 0xbeae00 [0048.826] GetSystemDefaultLangID () returned 0xbd0409 [0048.826] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.826] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xe63, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xe63, lpOverlapped=0x0) returned 1 [0048.826] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.826] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xe63, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xe63, lpOverlapped=0x0) returned 1 [0048.826] GetProcessHeap () returned 0xbc0000 [0048.826] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.826] CloseHandle (hObject=0x264) returned 1 [0048.827] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.827] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.827] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.828] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.828] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.828] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1046\\eula.rtf.nefilim")) returned 1 [0048.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.830] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13b62, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.830] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.831] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.831] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.831] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.831] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.831] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.831] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=80738) returned 1 [0048.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.832] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.832] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.832] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.832] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.832] GetTickCount () returned 0x114daf0 [0048.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.832] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13b62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.832] SetLastError (dwErrCode=0x0) [0048.832] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.834] GetLastError () returned 0x0 [0048.834] GetLastError () returned 0x0 [0048.834] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13c62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.834] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.834] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13d62, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.834] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1819fe1b, dwHighDateTime=0x1d5f971)) [0048.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.834] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.834] GetProcessHeap () returned 0xbc0000 [0048.834] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13b62) returned 0xbeae00 [0048.835] GetSystemDefaultLangID () returned 0xbd0409 [0048.835] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.835] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x13b62, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x13b62, lpOverlapped=0x0) returned 1 [0048.840] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.840] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x13b62, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x13b62, lpOverlapped=0x0) returned 1 [0048.840] GetProcessHeap () returned 0xbc0000 [0048.840] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.840] CloseHandle (hObject=0x264) returned 1 [0048.842] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.842] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.842] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.842] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.842] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.842] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1046\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1046\\localizeddata.xml.nefilim")) returned 1 [0048.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.843] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.843] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.844] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.844] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.844] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.844] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.844] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0048.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.844] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1049", cAlternateFileName="")) returned 1 [0048.844] lstrcmpiW (lpString1="1049", lpString2=".") returned 1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="..") returned 1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="...") returned 1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="windows") returned -1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="$RECYCLE.BIN") returned 1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="rsa") returned -1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="NTDETECT.COM") returned -1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="ntldr") returned -1 [0048.844] lstrcmpiW (lpString1="1049", lpString2="MSDOS.SYS") returned -1 [0048.845] lstrcmpiW (lpString1="1049", lpString2="IO.SYS") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="boot.ini") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="AUTOEXEC.BAT") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="ntuser.dat") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="desktop.ini") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="CONFIG.SYS") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="RECYCLER") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="BOOTSECT.BAK") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="bootmgr") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="programdata") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="appdata") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="program files") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="program files (x86)") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="microsoft") returned -1 [0048.846] lstrcmpiW (lpString1="1049", lpString2="sophos") returned -1 [0048.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.846] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1049\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0048.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.846] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.846] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.846] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.846] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xd4b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.846] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.846] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.846] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.846] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.847] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.847] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.847] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.847] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.868] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.868] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.868] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.868] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=54456) returned 1 [0048.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.869] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.869] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.869] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.870] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.870] GetTickCount () returned 0x114db0f [0048.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.870] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd4b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.871] SetLastError (dwErrCode=0x0) [0048.871] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.873] GetLastError () returned 0x0 [0048.873] GetLastError () returned 0x0 [0048.873] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd5b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.873] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.873] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xd6b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.873] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x181ec330, dwHighDateTime=0x1d5f971)) [0048.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.873] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.873] GetProcessHeap () returned 0xbc0000 [0048.873] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd4b8) returned 0xbeae00 [0048.874] GetSystemDefaultLangID () returned 0xbd0409 [0048.874] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.874] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xd4b8, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xd4b8, lpOverlapped=0x0) returned 1 [0048.877] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.877] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xd4b8, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xd4b8, lpOverlapped=0x0) returned 1 [0048.878] GetProcessHeap () returned 0xbc0000 [0048.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.878] CloseHandle (hObject=0x264) returned 1 [0048.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.880] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1049\\eula.rtf.nefilim")) returned 1 [0048.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.884] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x13e4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.884] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.885] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.885] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.885] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.885] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.885] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.885] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.885] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=81482) returned 1 [0048.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.885] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.885] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.886] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.886] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.887] GetTickCount () returned 0x114db1f [0048.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.887] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.887] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13e4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.887] SetLastError (dwErrCode=0x0) [0048.887] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.889] GetLastError () returned 0x0 [0048.889] GetLastError () returned 0x0 [0048.889] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13f4a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.889] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.889] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1404a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.889] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18212572, dwHighDateTime=0x1d5f971)) [0048.889] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.889] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.889] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.889] GetProcessHeap () returned 0xbc0000 [0048.889] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13e4a) returned 0xbeae00 [0048.889] GetSystemDefaultLangID () returned 0xbd0409 [0048.889] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.889] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x13e4a, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x13e4a, lpOverlapped=0x0) returned 1 [0048.895] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.895] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x13e4a, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x13e4a, lpOverlapped=0x0) returned 1 [0048.895] GetProcessHeap () returned 0xbc0000 [0048.895] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.895] CloseHandle (hObject=0x264) returned 1 [0048.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.897] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.897] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1049\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1049\\localizeddata.xml.nefilim")) returned 1 [0048.898] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.898] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.898] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.898] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.899] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.899] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.899] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.899] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.899] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.899] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.899] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.899] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.899] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.899] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0048.899] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.899] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.899] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.899] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1053", cAlternateFileName="")) returned 1 [0048.899] lstrcmpiW (lpString1="1053", lpString2=".") returned 1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="..") returned 1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="...") returned 1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="windows") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="$RECYCLE.BIN") returned 1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="rsa") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="NTDETECT.COM") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="ntldr") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="MSDOS.SYS") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="IO.SYS") returned -1 [0048.899] lstrcmpiW (lpString1="1053", lpString2="boot.ini") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="AUTOEXEC.BAT") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="ntuser.dat") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="desktop.ini") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="CONFIG.SYS") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="RECYCLER") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="BOOTSECT.BAK") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="bootmgr") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="programdata") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="appdata") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="program files") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="program files (x86)") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="microsoft") returned -1 [0048.900] lstrcmpiW (lpString1="1053", lpString2="sophos") returned -1 [0048.900] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.900] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.900] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.900] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.900] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.900] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1053\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2848 [0048.902] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.902] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.902] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.902] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.902] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf19, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.902] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.903] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.903] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.903] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.903] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.903] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3865) returned 1 [0048.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.904] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.904] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.904] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.904] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.905] GetTickCount () returned 0x114db2e [0048.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.905] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.905] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf19, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.905] SetLastError (dwErrCode=0x0) [0048.905] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.958] GetLastError () returned 0x0 [0048.958] GetLastError () returned 0x0 [0048.959] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1019, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.959] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.959] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1119, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.959] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x182d1215, dwHighDateTime=0x1d5f971)) [0048.959] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.959] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.959] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.959] GetProcessHeap () returned 0xbc0000 [0048.959] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf19) returned 0xbeae00 [0048.959] GetSystemDefaultLangID () returned 0xbd0409 [0048.959] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.959] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xf19, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xf19, lpOverlapped=0x0) returned 1 [0048.959] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.959] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xf19, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xf19, lpOverlapped=0x0) returned 1 [0048.959] GetProcessHeap () returned 0xbc0000 [0048.959] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.959] CloseHandle (hObject=0x264) returned 1 [0048.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.963] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.963] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1053\\eula.rtf.nefilim")) returned 1 [0048.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.965] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12f70, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.965] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.965] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.965] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.965] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.966] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.966] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.966] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.967] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.967] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.967] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.967] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.967] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.967] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.967] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.967] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=77680) returned 1 [0048.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.967] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.968] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.968] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.968] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.968] GetTickCount () returned 0x114db6d [0048.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.968] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.968] SetLastError (dwErrCode=0x0) [0048.968] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.970] GetLastError () returned 0x0 [0048.970] GetLastError () returned 0x0 [0048.970] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.970] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.970] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.970] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x182d1215, dwHighDateTime=0x1d5f971)) [0048.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0048.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0048.970] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.971] GetProcessHeap () returned 0xbc0000 [0048.971] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12f70) returned 0xbeae00 [0048.971] GetSystemDefaultLangID () returned 0xbd0409 [0048.971] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.971] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x12f70, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x12f70, lpOverlapped=0x0) returned 1 [0048.976] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.976] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x12f70, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x12f70, lpOverlapped=0x0) returned 1 [0048.976] GetProcessHeap () returned 0xbc0000 [0048.976] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.977] CloseHandle (hObject=0x264) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0048.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0048.979] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1053\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1053\\localizeddata.xml.nefilim")) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.979] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0048.979] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0048.980] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0048.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.980] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0048.980] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0048.980] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0048.980] FindClose (in: hFindFile=0xbe2848 | out: hFindFile=0xbe2848) returned 1 [0048.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0048.981] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0048.981] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="1055", cAlternateFileName="")) returned 1 [0048.981] lstrcmpiW (lpString1="1055", lpString2=".") returned 1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="..") returned 1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="...") returned 1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="windows") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="$RECYCLE.BIN") returned 1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="rsa") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="NTDETECT.COM") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="ntldr") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="MSDOS.SYS") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="IO.SYS") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="boot.ini") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="AUTOEXEC.BAT") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="ntuser.dat") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="desktop.ini") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="CONFIG.SYS") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="RECYCLER") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="BOOTSECT.BAK") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="bootmgr") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="programdata") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="appdata") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="program files") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="program files (x86)") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="microsoft") returned -1 [0048.981] lstrcmpiW (lpString1="1055", lpString2="sophos") returned -1 [0048.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0048.981] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0048.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0048.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0048.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.981] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\1055\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0048.982] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0048.982] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0048.982] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0048.982] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0048.982] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xf13, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0048.982] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0048.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0048.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.982] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0048.983] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0048.983] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0048.983] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.983] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3859) returned 1 [0048.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0048.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0048.983] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0048.983] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0048.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.983] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.984] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.985] GetTickCount () returned 0x114db7d [0048.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0048.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.985] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xf13, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.985] SetLastError (dwErrCode=0x0) [0048.985] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.988] GetLastError () returned 0x0 [0048.988] GetLastError () returned 0x0 [0048.988] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1013, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.988] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0048.988] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1113, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.988] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1831d5b8, dwHighDateTime=0x1d5f971)) [0048.988] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0048.988] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0048.988] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0048.989] GetProcessHeap () returned 0xbc0000 [0048.989] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf13) returned 0xbeae00 [0048.989] GetSystemDefaultLangID () returned 0xbd0409 [0048.989] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.989] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0xf13, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0xf13, lpOverlapped=0x0) returned 1 [0048.989] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.989] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0xf13, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0xf13, lpOverlapped=0x0) returned 1 [0048.989] GetProcessHeap () returned 0xbc0000 [0048.989] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0048.989] CloseHandle (hObject=0x264) returned 1 [0048.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0048.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0048.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0048.990] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0048.990] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1055\\eula.rtf.nefilim")) returned 1 [0048.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0048.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0048.992] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x12c12, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0048.992] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0048.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0048.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0048.993] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0048.993] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0048.993] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0048.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0048.993] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0048.994] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=76818) returned 1 [0048.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0048.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0048.994] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0048.994] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0048.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0048.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0048.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0048.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0048.994] GetTickCount () returned 0x114db8c [0048.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0048.994] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0048.994] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12c12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0048.994] SetLastError (dwErrCode=0x0) [0048.995] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.010] GetLastError () returned 0x0 [0049.010] GetLastError () returned 0x0 [0049.010] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12d12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.010] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.010] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x12e12, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.010] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1834385d, dwHighDateTime=0x1d5f971)) [0049.010] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.010] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.010] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.010] GetProcessHeap () returned 0xbc0000 [0049.010] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12c12) returned 0xbeae00 [0049.010] GetSystemDefaultLangID () returned 0xbd0409 [0049.011] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.011] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x12c12, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x12c12, lpOverlapped=0x0) returned 1 [0049.016] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.016] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x12c12, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x12c12, lpOverlapped=0x0) returned 1 [0049.016] GetProcessHeap () returned 0xbc0000 [0049.016] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0049.016] CloseHandle (hObject=0x264) returned 1 [0049.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0049.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0049.018] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.018] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\1055\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\1055\\localizeddata.xml.nefilim")) returned 1 [0049.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.019] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0049.019] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0049.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.020] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0049.020] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0049.020] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4558, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0049.020] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0049.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.020] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="2052", cAlternateFileName="")) returned 1 [0049.020] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="...") returned 1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="$RECYCLE.BIN") returned 1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="rsa") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="NTDETECT.COM") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="ntldr") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="MSDOS.SYS") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="IO.SYS") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="boot.ini") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="AUTOEXEC.BAT") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="ntuser.dat") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="desktop.ini") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="CONFIG.SYS") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="RECYCLER") returned -1 [0049.020] lstrcmpiW (lpString1="2052", lpString2="BOOTSECT.BAK") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="programdata") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="appdata") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="program files") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="program files (x86)") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="microsoft") returned -1 [0049.021] lstrcmpiW (lpString1="2052", lpString2="sophos") returned -1 [0049.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.021] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.021] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2052\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0049.021] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.021] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.021] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.021] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.021] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x16c3, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0049.021] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0049.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0049.022] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.022] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0049.022] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.022] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0049.023] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.023] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=5827) returned 1 [0049.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0049.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0049.023] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0049.023] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0049.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.023] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.024] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.025] GetTickCount () returned 0x114dbab [0049.025] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0049.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.025] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.025] SetLastError (dwErrCode=0x0) [0049.025] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.027] GetLastError () returned 0x0 [0049.027] GetLastError () returned 0x0 [0049.027] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x17c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.027] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.027] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18c3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.027] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18369b7e, dwHighDateTime=0x1d5f971)) [0049.027] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.027] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.027] GetProcessHeap () returned 0xbc0000 [0049.027] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16c3) returned 0xbeae00 [0049.027] GetSystemDefaultLangID () returned 0xbd0409 [0049.027] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.027] ReadFile (in: hFile=0x264, lpBuffer=0xbeae00, nNumberOfBytesToRead=0x16c3, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesRead=0x25bee3c*=0x16c3, lpOverlapped=0x0) returned 1 [0049.028] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.029] WriteFile (in: hFile=0x264, lpBuffer=0xbeae00*, nNumberOfBytesToWrite=0x16c3, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeae00*, lpNumberOfBytesWritten=0x25bee30*=0x16c3, lpOverlapped=0x0) returned 1 [0049.029] GetProcessHeap () returned 0xbc0000 [0049.029] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeae00 | out: hHeap=0xbc0000) returned 1 [0049.029] CloseHandle (hObject=0x264) returned 1 [0049.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0049.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0049.029] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0049.030] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2052\\eula.rtf.nefilim")) returned 1 [0049.032] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.032] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.032] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed0c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0049.032] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0049.033] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0049.033] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0049.033] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.033] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.033] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.033] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.034] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.034] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=60684) returned 1 [0049.034] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0049.034] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0049.034] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0049.034] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0049.034] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.034] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.034] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.034] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.035] GetTickCount () returned 0x114dbab [0049.035] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0049.035] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.035] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.035] SetLastError (dwErrCode=0x0) [0049.035] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.037] GetLastError () returned 0x0 [0049.037] GetLastError () returned 0x0 [0049.037] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.037] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.037] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef0c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.037] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1838fd09, dwHighDateTime=0x1d5f971)) [0049.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.037] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.037] GetProcessHeap () returned 0xbc0000 [0049.037] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xed0c) returned 0xbeb608 [0049.037] GetSystemDefaultLangID () returned 0xbd0409 [0049.037] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.037] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0xed0c, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0xed0c, lpOverlapped=0x0) returned 1 [0049.042] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.042] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0xed0c, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0xed0c, lpOverlapped=0x0) returned 1 [0049.042] GetProcessHeap () returned 0xbc0000 [0049.042] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.042] CloseHandle (hObject=0x264) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0049.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.044] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2052\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2052\\localizeddata.xml.nefilim")) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.045] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0049.045] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0049.045] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.045] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0049.045] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0049.046] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0049.046] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0049.046] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0049.046] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0049.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.046] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="2070", cAlternateFileName="")) returned 1 [0049.046] lstrcmpiW (lpString1="2070", lpString2=".") returned 1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="..") returned 1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="...") returned 1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="windows") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="$RECYCLE.BIN") returned 1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="rsa") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="NTDETECT.COM") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="ntldr") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="MSDOS.SYS") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="IO.SYS") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="boot.ini") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="AUTOEXEC.BAT") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="ntuser.dat") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="desktop.ini") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="CONFIG.SYS") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="RECYCLER") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="BOOTSECT.BAK") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="bootmgr") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="programdata") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="appdata") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="program files") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="program files (x86)") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="microsoft") returned -1 [0049.046] lstrcmpiW (lpString1="2070", lpString2="sophos") returned -1 [0049.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.047] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\2070\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2688 [0049.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.047] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.047] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xfaf, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0049.047] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0049.048] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0049.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0049.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.048] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0049.048] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.049] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.049] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0049.049] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.207] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=4015) returned 1 [0049.209] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0049.209] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0049.209] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0049.209] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0049.209] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.209] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.209] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.210] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.211] GetTickCount () returned 0x114dc67 [0049.211] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0049.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.211] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xfaf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.211] SetLastError (dwErrCode=0x0) [0049.211] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.214] GetLastError () returned 0x0 [0049.214] GetLastError () returned 0x0 [0049.214] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x10af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.214] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.214] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x11af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.214] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1853543a, dwHighDateTime=0x1d5f971)) [0049.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.214] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.214] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.214] GetProcessHeap () returned 0xbc0000 [0049.214] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfaf) returned 0xbeb608 [0049.214] GetSystemDefaultLangID () returned 0xbd0409 [0049.214] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.214] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0xfaf, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0xfaf, lpOverlapped=0x0) returned 1 [0049.215] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.215] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0xfaf, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0xfaf, lpOverlapped=0x0) returned 1 [0049.215] GetProcessHeap () returned 0xbc0000 [0049.215] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.215] CloseHandle (hObject=0x264) returned 1 [0049.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0049.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0049.216] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0049.216] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2070\\eula.rtf.nefilim")) returned 1 [0049.218] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.218] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.218] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1397e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.218] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0049.219] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0049.219] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0049.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0049.219] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.219] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.220] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.220] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.220] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.220] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.220] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.220] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.220] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.220] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=80254) returned 1 [0049.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0049.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0049.220] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0049.220] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0049.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.220] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.220] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.221] GetTickCount () returned 0x114dc67 [0049.221] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0049.221] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.221] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1397e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.221] SetLastError (dwErrCode=0x0) [0049.221] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.223] GetLastError () returned 0x0 [0049.223] GetLastError () returned 0x0 [0049.223] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13a7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.223] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.223] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13b7e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.223] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18559885, dwHighDateTime=0x1d5f971)) [0049.223] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.223] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.223] GetProcessHeap () returned 0xbc0000 [0049.223] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1397e) returned 0xbeb608 [0049.224] GetSystemDefaultLangID () returned 0xbd0409 [0049.224] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.224] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1397e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x1397e, lpOverlapped=0x0) returned 1 [0049.230] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.230] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1397e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x1397e, lpOverlapped=0x0) returned 1 [0049.231] GetProcessHeap () returned 0xbc0000 [0049.231] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.231] CloseHandle (hObject=0x264) returned 1 [0049.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0049.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0049.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.233] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\2070\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\2070\\localizeddata.xml.nefilim")) returned 1 [0049.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.234] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0049.234] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0049.235] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0049.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.235] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.235] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0049.235] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0049.235] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0049.236] FindClose (in: hFindFile=0xbe2688 | out: hFindFile=0xbe2688) returned 1 [0049.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.236] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="3076", cAlternateFileName="")) returned 1 [0049.236] lstrcmpiW (lpString1="3076", lpString2=".") returned 1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="..") returned 1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="...") returned 1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="windows") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="$RECYCLE.BIN") returned 1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="rsa") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="NTDETECT.COM") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="ntldr") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="MSDOS.SYS") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="IO.SYS") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="boot.ini") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="AUTOEXEC.BAT") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="ntuser.dat") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="desktop.ini") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="CONFIG.SYS") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="RECYCLER") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="BOOTSECT.BAK") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="bootmgr") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="programdata") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="appdata") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="program files") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="program files (x86)") returned -1 [0049.236] lstrcmpiW (lpString1="3076", lpString2="microsoft") returned -1 [0049.237] lstrcmpiW (lpString1="3076", lpString2="sophos") returned -1 [0049.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.237] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.237] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3076\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0049.237] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.237] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf37db23a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.237] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.237] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.237] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0x18a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0049.237] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0049.238] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0049.238] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0049.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.239] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0049.239] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.239] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.239] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0049.239] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.240] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=6309) returned 1 [0049.240] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0049.240] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0049.240] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0049.240] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0049.240] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.240] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.240] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.241] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.242] GetTickCount () returned 0x114dc86 [0049.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0049.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.242] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x18a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.242] SetLastError (dwErrCode=0x0) [0049.242] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.265] GetLastError () returned 0x0 [0049.265] GetLastError () returned 0x0 [0049.265] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x19a5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.265] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.265] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1aa5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.265] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x185a5db8, dwHighDateTime=0x1d5f971)) [0049.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.265] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.265] GetProcessHeap () returned 0xbc0000 [0049.265] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18a5) returned 0xbeb608 [0049.265] GetSystemDefaultLangID () returned 0xbd0409 [0049.265] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.265] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x18a5, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x18a5, lpOverlapped=0x0) returned 1 [0049.266] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.267] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x18a5, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x18a5, lpOverlapped=0x0) returned 1 [0049.267] GetProcessHeap () returned 0xbc0000 [0049.267] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.267] CloseHandle (hObject=0x264) returned 1 [0049.267] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.267] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0049.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0049.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0049.268] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3076\\eula.rtf.nefilim")) returned 1 [0049.270] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.270] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.270] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0xed90, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0049.270] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0049.271] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0049.271] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0049.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0049.271] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0049.271] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.271] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.271] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.271] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.271] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=60816) returned 1 [0049.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0049.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0049.271] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0049.272] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0049.272] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.272] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.272] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.272] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.272] GetTickCount () returned 0x114dca5 [0049.272] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0049.272] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.272] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xed90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.272] SetLastError (dwErrCode=0x0) [0049.272] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.274] GetLastError () returned 0x0 [0049.274] GetLastError () returned 0x0 [0049.274] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xee90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.274] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.274] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xef90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.274] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x185cbf92, dwHighDateTime=0x1d5f971)) [0049.274] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.275] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.275] GetProcessHeap () returned 0xbc0000 [0049.275] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xed90) returned 0xbeb608 [0049.275] GetSystemDefaultLangID () returned 0xbd0409 [0049.275] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.275] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0xed90, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0xed90, lpOverlapped=0x0) returned 1 [0049.279] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.279] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0xed90, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0xed90, lpOverlapped=0x0) returned 1 [0049.280] GetProcessHeap () returned 0xbc0000 [0049.280] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.280] CloseHandle (hObject=0x264) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0049.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.282] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3076\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3076\\localizeddata.xml.nefilim")) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.282] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0049.282] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0049.283] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0049.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.283] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0049.283] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0049.283] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x3758, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0049.283] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0049.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.283] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="3082", cAlternateFileName="")) returned 1 [0049.284] lstrcmpiW (lpString1="3082", lpString2=".") returned 1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="..") returned 1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="...") returned 1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="windows") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="$RECYCLE.BIN") returned 1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="rsa") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="NTDETECT.COM") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="ntldr") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="MSDOS.SYS") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="IO.SYS") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="boot.ini") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="AUTOEXEC.BAT") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="ntuser.dat") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="desktop.ini") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="CONFIG.SYS") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="RECYCLER") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="BOOTSECT.BAK") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="bootmgr") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="programdata") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="appdata") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="program files") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="program files (x86)") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="microsoft") returned -1 [0049.284] lstrcmpiW (lpString1="3082", lpString2="sophos") returned -1 [0049.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.284] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.284] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\3082\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe28c8 [0049.285] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.285] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf37b4fe2, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf38014a5, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.285] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.285] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.285] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x69d9e300, ftCreationTime.dwHighDateTime=0x1cac0d3, ftLastAccessTime.dwLowDateTime=0x69d9e300, ftLastAccessTime.dwHighDateTime=0x1cac0d3, ftLastWriteTime.dwLowDateTime=0x69d9e300, ftLastWriteTime.dwHighDateTime=0x1cac0d3, nFileSizeHigh=0x0, nFileSizeLow=0xbfd, dwReserved0=0x0, dwReserved1=0x0, cFileName="eula.rtf", cAlternateFileName="")) returned 1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2=".") returned 1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2="..") returned 1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2="...") returned 1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2="windows") returned -1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2="$RECYCLE.BIN") returned 1 [0049.285] lstrcmpiW (lpString1="eula.rtf", lpString2="rsa") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="NTDETECT.COM") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="ntldr") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="MSDOS.SYS") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="IO.SYS") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="boot.ini") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="ntuser.dat") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="desktop.ini") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="CONFIG.SYS") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="RECYCLER") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="BOOTSECT.BAK") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="bootmgr") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="programdata") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="appdata") returned 1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="program files") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="program files (x86)") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="microsoft") returned -1 [0049.286] lstrcmpiW (lpString1="eula.rtf", lpString2="sophos") returned -1 [0049.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681450 [0049.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.286] PathFindExtensionW (pszPath="eula.rtf") returned=".rtf" [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0049.286] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0049.287] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0049.287] lstrcmpiW (lpString1="eula.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26814a8 [0049.287] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.287] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=3069) returned 1 [0049.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0049.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681518 [0049.287] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0049.287] SystemFunction036 (in: RandomBuffer=0x2681518, RandomBufferLength=0x10 | out: RandomBuffer=0x2681518) returned 1 [0049.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.287] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.288] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.289] GetTickCount () returned 0x114dcb5 [0049.289] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681408 [0049.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.289] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xbfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.289] SetLastError (dwErrCode=0x0) [0049.289] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.291] GetLastError () returned 0x0 [0049.291] GetLastError () returned 0x0 [0049.291] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xcfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.292] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.292] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0xdfd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.292] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x185f2400, dwHighDateTime=0x1d5f971)) [0049.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681408 [0049.292] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.292] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.292] GetProcessHeap () returned 0xbc0000 [0049.292] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xbfd) returned 0xbeb608 [0049.292] GetSystemDefaultLangID () returned 0xbd0409 [0049.292] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.292] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0xbfd, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0xbfd, lpOverlapped=0x0) returned 1 [0049.292] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.292] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0xbfd, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0xbfd, lpOverlapped=0x0) returned 1 [0049.292] GetProcessHeap () returned 0xbc0000 [0049.292] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.292] CloseHandle (hObject=0x264) returned 1 [0049.293] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.293] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.293] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681500 | out: hHeap=0x2680000) returned 1 [0049.293] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681518 | out: hHeap=0x2680000) returned 1 [0049.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681fc8 [0049.293] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\eula.rtf.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3082\\eula.rtf.nefilim")) returned 1 [0049.299] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.299] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.299] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5398dc00, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x5398dc00, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x5398dc00, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x1387c, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalizedData.xml", cAlternateFileName="LOCALI~1.XML")) returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2=".") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="..") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="...") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="windows") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="rsa") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NTDETECT.COM") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntldr") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="MSDOS.SYS") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="IO.SYS") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="boot.ini") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="ntuser.dat") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="desktop.ini") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="CONFIG.SYS") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="RECYCLER") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="bootmgr") returned 1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="programdata") returned -1 [0049.299] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="appdata") returned 1 [0049.300] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files") returned -1 [0049.300] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="program files (x86)") returned -1 [0049.300] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="microsoft") returned -1 [0049.300] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="sophos") returned -1 [0049.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814a8 [0049.300] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0049.300] PathFindExtensionW (pszPath="LocalizedData.xml") returned=".xml" [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.300] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.300] lstrcmpiW (lpString1="LocalizedData.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.300] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.300] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=79996) returned 1 [0049.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681510 [0049.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681528 [0049.301] SystemFunction036 (in: RandomBuffer=0x2681510, RandomBufferLength=0x10 | out: RandomBuffer=0x2681510) returned 1 [0049.301] SystemFunction036 (in: RandomBuffer=0x2681528, RandomBufferLength=0x10 | out: RandomBuffer=0x2681528) returned 1 [0049.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.327] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.328] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.328] GetTickCount () returned 0x114dcd4 [0049.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681470 [0049.328] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.328] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1387c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.328] SetLastError (dwErrCode=0x0) [0049.328] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.330] GetLastError () returned 0x0 [0049.330] GetLastError () returned 0x0 [0049.330] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x1397c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.330] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.330] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x13a7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.330] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18654ca6, dwHighDateTime=0x1d5f971)) [0049.330] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.330] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.330] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.331] GetProcessHeap () returned 0xbc0000 [0049.331] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1387c) returned 0xbeb608 [0049.331] GetSystemDefaultLangID () returned 0xbd0409 [0049.331] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.331] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1387c, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x1387c, lpOverlapped=0x0) returned 1 [0049.337] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.337] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1387c, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x1387c, lpOverlapped=0x0) returned 1 [0049.338] GetProcessHeap () returned 0xbc0000 [0049.338] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.338] CloseHandle (hObject=0x264) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681510 | out: hHeap=0x2680000) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681528 | out: hHeap=0x2680000) returned 1 [0049.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.340] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml"), lpNewFileName="C:\\588bce7c90097ed212\\3082\\LocalizedData.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\3082\\localizeddata.xml.nefilim")) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.340] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 1 [0049.340] lstrcmpiW (lpString1="SetupResources.dll", lpString2=".") returned 1 [0049.340] lstrcmpiW (lpString1="SetupResources.dll", lpString2="..") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="...") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="windows") returned -1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="$RECYCLE.BIN") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="rsa") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="NTDETECT.COM") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntldr") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="MSDOS.SYS") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="IO.SYS") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="boot.ini") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="AUTOEXEC.BAT") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="ntuser.dat") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="desktop.ini") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="CONFIG.SYS") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="RECYCLER") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="BOOTSECT.BAK") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="bootmgr") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="programdata") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="appdata") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="program files (x86)") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="microsoft") returned 1 [0049.341] lstrcmpiW (lpString1="SetupResources.dll", lpString2="sophos") returned -1 [0049.341] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.341] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a8 | out: hHeap=0x2680000) returned 1 [0049.341] PathFindExtensionW (pszPath="SetupResources.dll") returned=".dll" [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0049.341] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0049.341] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x4958, dwReserved0=0x0, dwReserved1=0x0, cFileName="SetupResources.dll", cAlternateFileName="SETUPR~1.DLL")) returned 0 [0049.342] FindClose (in: hFindFile=0xbe28c8 | out: hFindFile=0xbe28c8) returned 1 [0049.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.342] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Client", cAlternateFileName="")) returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2=".") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="..") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="...") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="windows") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="$RECYCLE.BIN") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="rsa") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="NTDETECT.COM") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="ntldr") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="MSDOS.SYS") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="IO.SYS") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="boot.ini") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="AUTOEXEC.BAT") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="ntuser.dat") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="desktop.ini") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="CONFIG.SYS") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="RECYCLER") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="BOOTSECT.BAK") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="bootmgr") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="programdata") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="appdata") returned 1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="program files") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="program files (x86)") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="microsoft") returned -1 [0049.342] lstrcmpiW (lpString1="Client", lpString2="sophos") returned -1 [0049.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.343] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Client\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0049.343] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.343] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf3768b28, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf3768b28, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0049.343] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.343] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.343] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce2bc00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0xce2bc00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0xce2bc00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x31444, dwReserved0=0x0, dwReserved1=0x0, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0049.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0049.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0049.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0049.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0049.343] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="rsa") returned -1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NTDETECT.COM") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntldr") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="MSDOS.SYS") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="IO.SYS") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="boot.ini") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntuser.dat") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="desktop.ini") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="CONFIG.SYS") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="RECYCLER") returned -1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="bootmgr") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="programdata") returned -1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="appdata") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files") returned -1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files (x86)") returned -1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="microsoft") returned 1 [0049.344] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="sophos") returned -1 [0049.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681460 [0049.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.344] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.344] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.345] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.345] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.345] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814c8 [0049.345] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.345] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=201796) returned 1 [0049.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681408 [0049.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681420 [0049.345] SystemFunction036 (in: RandomBuffer=0x2681408, RandomBufferLength=0x10 | out: RandomBuffer=0x2681408) returned 1 [0049.345] SystemFunction036 (in: RandomBuffer=0x2681420, RandomBufferLength=0x10 | out: RandomBuffer=0x2681420) returned 1 [0049.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.345] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.346] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.347] GetTickCount () returned 0x114dce4 [0049.347] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26821d8 [0049.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.347] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31444, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.347] SetLastError (dwErrCode=0x0) [0049.347] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.350] GetLastError () returned 0x0 [0049.350] GetLastError () returned 0x0 [0049.350] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31544, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.350] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.350] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x31644, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.350] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1868abaa, dwHighDateTime=0x1d5f971)) [0049.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.350] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.350] GetProcessHeap () returned 0xbc0000 [0049.350] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x31444) returned 0xbeb608 [0049.351] GetSystemDefaultLangID () returned 0xbd0409 [0049.351] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.351] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x31444, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x31444, lpOverlapped=0x0) returned 1 [0049.374] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.374] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x31444, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x31444, lpOverlapped=0x0) returned 1 [0049.375] GetProcessHeap () returned 0xbc0000 [0049.375] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.375] CloseHandle (hObject=0x264) returned 1 [0049.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0049.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.379] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\Parameterinfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\client\\parameterinfo.xml.nefilim")) returned 1 [0049.380] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.380] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.380] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.380] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0049.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681460 | out: hHeap=0x2680000) returned 1 [0049.381] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.381] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.381] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681460 [0049.381] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.382] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=39042) returned 1 [0049.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814b8 [0049.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d0 [0049.382] SystemFunction036 (in: RandomBuffer=0x26814b8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814b8) returned 1 [0049.382] SystemFunction036 (in: RandomBuffer=0x26814d0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d0) returned 1 [0049.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.382] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.384] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.385] GetTickCount () returned 0x114dd13 [0049.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814e8 [0049.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e8 | out: hHeap=0x2680000) returned 1 [0049.385] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9882, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.385] SetLastError (dwErrCode=0x0) [0049.385] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.388] GetLastError () returned 0x0 [0049.388] GetLastError () returned 0x0 [0049.388] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9982, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.388] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.388] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9a82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.388] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x186d79c5, dwHighDateTime=0x1d5f971)) [0049.388] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814e8 [0049.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e8 | out: hHeap=0x2680000) returned 1 [0049.388] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.388] GetProcessHeap () returned 0xbc0000 [0049.388] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9882) returned 0xbeb608 [0049.389] GetSystemDefaultLangID () returned 0xbd0409 [0049.389] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.389] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x9882, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x9882, lpOverlapped=0x0) returned 1 [0049.391] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.391] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x9882, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x9882, lpOverlapped=0x0) returned 1 [0049.392] GetProcessHeap () returned 0xbc0000 [0049.392] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.392] CloseHandle (hObject=0x264) returned 1 [0049.394] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.394] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.394] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0049.394] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d0 | out: hHeap=0x2680000) returned 1 [0049.394] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814b8 [0049.394] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Client\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\client\\uiinfo.xml.nefilim")) returned 1 [0049.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0049.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681460 | out: hHeap=0x2680000) returned 1 [0049.395] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x9882, dwReserved0=0x0, dwReserved1=0x0, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0049.395] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0049.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.395] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbc518d00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbc518d00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbc518d00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3ef6, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="DHtmlHeader.html", cAlternateFileName="DHTMLH~1.HTM")) returned 1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2=".") returned 1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="..") returned 1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="...") returned 1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="windows") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="$RECYCLE.BIN") returned 1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="rsa") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="NTDETECT.COM") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="ntldr") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="MSDOS.SYS") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="IO.SYS") returned -1 [0049.395] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="boot.ini") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="AUTOEXEC.BAT") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="ntuser.dat") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="desktop.ini") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="CONFIG.SYS") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="RECYCLER") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="BOOTSECT.BAK") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="bootmgr") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="programdata") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="appdata") returned 1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="program files") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="program files (x86)") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="microsoft") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="sophos") returned -1 [0049.396] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681378 [0049.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.396] PathFindExtensionW (pszPath="DHtmlHeader.html") returned=".html" [0049.396] lstrcmpiW (lpString1=".html", lpString2=".exe") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".log") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".cab") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".cmd") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".com") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".cpl") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".ini") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".dll") returned 1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".url") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".ttf") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".mp3") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".pif") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".mp4") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".NEFILIM") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".msi") returned -1 [0049.396] lstrcmpiW (lpString1=".html", lpString2=".lnk") returned -1 [0049.396] lstrcmpiW (lpString1="DHtmlHeader.html", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.396] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26813d0 [0049.396] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0049.397] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=16118) returned 1 [0049.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681330 [0049.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681348 [0049.397] SystemFunction036 (in: RandomBuffer=0x2681330, RandomBufferLength=0x10 | out: RandomBuffer=0x2681330) returned 1 [0049.397] SystemFunction036 (in: RandomBuffer=0x2681348, RandomBufferLength=0x10 | out: RandomBuffer=0x2681348) returned 1 [0049.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681428 [0049.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.397] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681428*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681428*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0049.399] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0049.401] GetTickCount () returned 0x114dd22 [0049.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0049.401] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.401] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.401] SetLastError (dwErrCode=0x0) [0049.401] WriteFile (in: hFile=0x260, lpBuffer=0x2681428*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681428*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.403] GetLastError () returned 0x0 [0049.403] GetLastError () returned 0x0 [0049.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ff6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.403] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.403] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x186fd31e, dwHighDateTime=0x1d5f971)) [0049.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0049.403] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.404] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0049.404] GetProcessHeap () returned 0xbc0000 [0049.404] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3ef6) returned 0xbeb608 [0049.404] GetSystemDefaultLangID () returned 0xbd0409 [0049.404] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.405] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x3ef6, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x3ef6, lpOverlapped=0x0) returned 1 [0049.417] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.417] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x3ef6, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x3ef6, lpOverlapped=0x0) returned 1 [0049.417] GetProcessHeap () returned 0xbc0000 [0049.417] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.417] CloseHandle (hObject=0x260) returned 1 [0049.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681428 | out: hHeap=0x2680000) returned 1 [0049.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681348 | out: hHeap=0x2680000) returned 1 [0049.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681428 [0049.418] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html"), lpNewFileName="C:\\588bce7c90097ed212\\DHtmlHeader.html.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\dhtmlheader.html.nefilim")) returned 1 [0049.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681428 | out: hHeap=0x2680000) returned 1 [0049.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813d0 | out: hHeap=0x2680000) returned 1 [0049.419] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x159d5, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="DisplayIcon.ico", cAlternateFileName="DISPLA~1.ICO")) returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2=".") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="..") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="...") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="windows") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="rsa") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="NTDETECT.COM") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="ntldr") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="MSDOS.SYS") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="IO.SYS") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="boot.ini") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="ntuser.dat") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="desktop.ini") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="CONFIG.SYS") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="RECYCLER") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="bootmgr") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="programdata") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="appdata") returned 1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="program files") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="program files (x86)") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="microsoft") returned -1 [0049.419] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="sophos") returned -1 [0049.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26813d0 [0049.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.420] PathFindExtensionW (pszPath="DisplayIcon.ico") returned=".ico" [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.420] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.420] lstrcmpiW (lpString1="DisplayIcon.ico", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0049.420] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0049.421] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=88533) returned 1 [0049.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681388 [0049.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813a0 [0049.421] SystemFunction036 (in: RandomBuffer=0x2681388, RandomBufferLength=0x10 | out: RandomBuffer=0x2681388) returned 1 [0049.421] SystemFunction036 (in: RandomBuffer=0x26813a0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813a0) returned 1 [0049.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681428 [0049.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.421] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681428*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681428*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0049.422] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0049.424] GetTickCount () returned 0x114dd32 [0049.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0049.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.424] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x159d5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.424] SetLastError (dwErrCode=0x0) [0049.424] WriteFile (in: hFile=0x260, lpBuffer=0x2681428*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681428*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.427] GetLastError () returned 0x0 [0049.427] GetLastError () returned 0x0 [0049.427] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ad5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.427] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.427] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15bd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.427] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x18749736, dwHighDateTime=0x1d5f971)) [0049.427] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0049.427] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.427] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0049.427] GetProcessHeap () returned 0xbc0000 [0049.427] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x159d5) returned 0xbeb608 [0049.428] GetSystemDefaultLangID () returned 0xbd0409 [0049.428] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.428] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x159d5, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x159d5, lpOverlapped=0x0) returned 1 [0049.434] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.434] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x159d5, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x159d5, lpOverlapped=0x0) returned 1 [0049.434] GetProcessHeap () returned 0xbc0000 [0049.434] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.434] CloseHandle (hObject=0x260) returned 1 [0049.436] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681428 | out: hHeap=0x2680000) returned 1 [0049.436] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.436] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0049.436] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a0 | out: hHeap=0x2680000) returned 1 [0049.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681428 [0049.437] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico"), lpNewFileName="C:\\588bce7c90097ed212\\DisplayIcon.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\displayicon.ico.nefilim")) returned 1 [0049.437] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681428 | out: hHeap=0x2680000) returned 1 [0049.437] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.437] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Extended", cAlternateFileName="")) returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2=".") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="..") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="...") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="windows") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="$RECYCLE.BIN") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="rsa") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="NTDETECT.COM") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="ntldr") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="MSDOS.SYS") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="IO.SYS") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="boot.ini") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="AUTOEXEC.BAT") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="ntuser.dat") returned -1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="desktop.ini") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="CONFIG.SYS") returned 1 [0049.437] lstrcmpiW (lpString1="Extended", lpString2="RECYCLER") returned -1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="BOOTSECT.BAK") returned 1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="bootmgr") returned 1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="programdata") returned -1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="appdata") returned 1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="program files") returned -1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="program files (x86)") returned -1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="microsoft") returned -1 [0049.438] lstrcmpiW (lpString1="Extended", lpString2="sophos") returned -1 [0049.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813d0 | out: hHeap=0x2680000) returned 1 [0049.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.438] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Extended\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681330, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0049.438] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.438] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf378ed8a, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf378ed8a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf378ed8a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0049.438] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.438] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2a714f00, ftCreationTime.dwHighDateTime=0x1cac6f0, ftLastAccessTime.dwLowDateTime=0x2a714f00, ftLastAccessTime.dwHighDateTime=0x1cac6f0, ftLastWriteTime.dwLowDateTime=0x2a714f00, ftLastWriteTime.dwHighDateTime=0x1cac6f0, nFileSizeHigh=0x0, nFileSizeLow=0x16c82, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Parameterinfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2=".") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="..") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="...") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="windows") returned -1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="rsa") returned -1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NTDETECT.COM") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntldr") returned 1 [0049.438] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="MSDOS.SYS") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="IO.SYS") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="boot.ini") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="ntuser.dat") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="desktop.ini") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="CONFIG.SYS") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="RECYCLER") returned -1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="bootmgr") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="programdata") returned -1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="appdata") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files") returned -1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="program files (x86)") returned -1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="microsoft") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="sophos") returned -1 [0049.439] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681460 [0049.439] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.439] PathFindExtensionW (pszPath="Parameterinfo.xml") returned=".xml" [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.439] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.439] lstrcmpiW (lpString1="Parameterinfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.439] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.440] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.440] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=93314) returned 1 [0049.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681408 [0049.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681420 [0049.440] SystemFunction036 (in: RandomBuffer=0x2681408, RandomBufferLength=0x10 | out: RandomBuffer=0x2681408) returned 1 [0049.440] SystemFunction036 (in: RandomBuffer=0x2681420, RandomBufferLength=0x10 | out: RandomBuffer=0x2681420) returned 1 [0049.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682040 [0049.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682148 [0049.440] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682040*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2682040*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.440] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682148*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2682148*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.440] GetTickCount () returned 0x114dd42 [0049.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814d8 [0049.440] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.440] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.441] SetLastError (dwErrCode=0x0) [0049.441] WriteFile (in: hFile=0x264, lpBuffer=0x2682040*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2682040*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.443] GetLastError () returned 0x0 [0049.443] GetLastError () returned 0x0 [0049.443] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16d82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.443] WriteFile (in: hFile=0x264, lpBuffer=0x2682148*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2682148*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.443] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x16e82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.443] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1876fa65, dwHighDateTime=0x1d5f971)) [0049.443] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814d8 [0049.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.443] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.443] GetProcessHeap () returned 0xbc0000 [0049.443] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16c82) returned 0xbeb608 [0049.443] GetSystemDefaultLangID () returned 0xbd0409 [0049.443] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.443] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x16c82, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x16c82, lpOverlapped=0x0) returned 1 [0049.448] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.448] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x16c82, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x16c82, lpOverlapped=0x0) returned 1 [0049.449] GetProcessHeap () returned 0xbc0000 [0049.449] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.449] CloseHandle (hObject=0x264) returned 1 [0049.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682040 | out: hHeap=0x2680000) returned 1 [0049.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682148 | out: hHeap=0x2680000) returned 1 [0049.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0049.451] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2682040 [0049.451] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\Parameterinfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\extended\\parameterinfo.xml.nefilim")) returned 1 [0049.452] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682040 | out: hHeap=0x2680000) returned 1 [0049.452] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.452] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0049.452] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0049.452] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814d8 [0049.453] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681460 | out: hHeap=0x2680000) returned 1 [0049.453] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0049.453] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0049.453] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.453] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.453] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.453] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=39050) returned 1 [0049.453] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681470 [0049.453] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681488 [0049.454] SystemFunction036 (in: RandomBuffer=0x2681470, RandomBufferLength=0x10 | out: RandomBuffer=0x2681470) returned 1 [0049.454] SystemFunction036 (in: RandomBuffer=0x2681488, RandomBufferLength=0x10 | out: RandomBuffer=0x2681488) returned 1 [0049.454] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.454] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.454] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.455] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.457] GetTickCount () returned 0x114dd51 [0049.457] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814a0 [0049.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a0 | out: hHeap=0x2680000) returned 1 [0049.457] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x988a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.457] SetLastError (dwErrCode=0x0) [0049.457] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.467] GetLastError () returned 0x0 [0049.467] GetLastError () returned 0x0 [0049.467] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x998a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.467] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.467] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9a8a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.467] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18795caf, dwHighDateTime=0x1d5f971)) [0049.467] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.467] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.467] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.467] GetProcessHeap () returned 0xbc0000 [0049.467] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x988a) returned 0xbeb608 [0049.468] GetSystemDefaultLangID () returned 0xbd0409 [0049.468] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.468] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x988a, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x988a, lpOverlapped=0x0) returned 1 [0049.471] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.471] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x988a, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x988a, lpOverlapped=0x0) returned 1 [0049.471] GetProcessHeap () returned 0xbc0000 [0049.471] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.472] CloseHandle (hObject=0x264) returned 1 [0049.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681488 | out: hHeap=0x2680000) returned 1 [0049.474] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.474] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Extended\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\extended\\uiinfo.xml.nefilim")) returned 1 [0049.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.475] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x988a, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="UiInfo.xml", cAlternateFileName="")) returned 0 [0049.475] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0049.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.475] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Graphics", cAlternateFileName="")) returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2=".") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="..") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="...") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="windows") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="$RECYCLE.BIN") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="rsa") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="NTDETECT.COM") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="ntldr") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="MSDOS.SYS") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="IO.SYS") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="boot.ini") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="AUTOEXEC.BAT") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="ntuser.dat") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="desktop.ini") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="CONFIG.SYS") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="RECYCLER") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="BOOTSECT.BAK") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="bootmgr") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="programdata") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="appdata") returned 1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="program files") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="program files (x86)") returned -1 [0049.475] lstrcmpiW (lpString1="Graphics", lpString2="microsoft") returned -1 [0049.476] lstrcmpiW (lpString1="Graphics", lpString2="sophos") returned -1 [0049.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681378 [0049.476] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0049.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813c0 [0049.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.476] FindFirstFileW (in: lpFileName="C:\\588bce7c90097ed212\\Graphics\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681330, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0xbe2848 [0049.477] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0049.477] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf36f6419, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf371c69a, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf371c69a, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0049.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0049.478] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0049.478] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Print.ico", cAlternateFileName="")) returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2=".") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="..") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="...") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="windows") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="rsa") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="NTDETECT.COM") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="ntldr") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="MSDOS.SYS") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="IO.SYS") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="boot.ini") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="ntuser.dat") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="desktop.ini") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="CONFIG.SYS") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="RECYCLER") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="bootmgr") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="programdata") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="appdata") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="program files") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="program files (x86)") returned -1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="microsoft") returned 1 [0049.478] lstrcmpiW (lpString1="Print.ico", lpString2="sophos") returned -1 [0049.478] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681460 [0049.478] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.478] PathFindExtensionW (pszPath="Print.ico") returned=".ico" [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.478] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.479] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.479] lstrcmpiW (lpString1="Print.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.479] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814c8 [0049.479] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.479] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=1150) returned 1 [0049.480] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681408 [0049.480] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681420 [0049.480] SystemFunction036 (in: RandomBuffer=0x2681408, RandomBufferLength=0x10 | out: RandomBuffer=0x2681408) returned 1 [0049.480] SystemFunction036 (in: RandomBuffer=0x2681420, RandomBufferLength=0x10 | out: RandomBuffer=0x2681420) returned 1 [0049.480] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.480] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.480] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.481] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.481] GetTickCount () returned 0x114dd71 [0049.481] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26821d8 [0049.481] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.481] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.481] SetLastError (dwErrCode=0x0) [0049.481] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.483] GetLastError () returned 0x0 [0049.484] GetLastError () returned 0x0 [0049.484] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.484] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.484] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.484] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x187bbec4, dwHighDateTime=0x1d5f971)) [0049.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.484] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.484] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.484] GetProcessHeap () returned 0xbc0000 [0049.484] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x47e) returned 0xbeb608 [0049.484] GetSystemDefaultLangID () returned 0xbd0409 [0049.484] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.484] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x47e, lpOverlapped=0x0) returned 1 [0049.484] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.484] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x47e, lpOverlapped=0x0) returned 1 [0049.484] GetProcessHeap () returned 0xbc0000 [0049.484] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.484] CloseHandle (hObject=0x264) returned 1 [0049.485] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.485] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.485] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.485] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0049.485] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.485] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Print.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\print.ico.nefilim")) returned 1 [0049.486] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.486] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.486] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate1.ico", cAlternateFileName="")) returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2=".") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="..") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="...") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="windows") returned -1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="rsa") returned -1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="NTDETECT.COM") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="ntldr") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="MSDOS.SYS") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="IO.SYS") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="boot.ini") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="ntuser.dat") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="desktop.ini") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="CONFIG.SYS") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="RECYCLER") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="bootmgr") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="programdata") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="appdata") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="program files") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="program files (x86)") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="microsoft") returned 1 [0049.486] lstrcmpiW (lpString1="Rotate1.ico", lpString2="sophos") returned -1 [0049.486] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814c8 [0049.486] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681460 | out: hHeap=0x2680000) returned 1 [0049.486] PathFindExtensionW (pszPath="Rotate1.ico") returned=".ico" [0049.486] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.486] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.486] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.486] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.486] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.487] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.487] lstrcmpiW (lpString1="Rotate1.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.487] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.487] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681470 [0049.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681488 [0049.487] SystemFunction036 (in: RandomBuffer=0x2681470, RandomBufferLength=0x10 | out: RandomBuffer=0x2681470) returned 1 [0049.487] SystemFunction036 (in: RandomBuffer=0x2681488, RandomBufferLength=0x10 | out: RandomBuffer=0x2681488) returned 1 [0049.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.487] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.488] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.488] GetTickCount () returned 0x114dd71 [0049.488] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26821d8 [0049.488] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.488] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.488] SetLastError (dwErrCode=0x0) [0049.488] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.490] GetLastError () returned 0x0 [0049.490] GetLastError () returned 0x0 [0049.490] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.490] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.491] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.491] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x187e213f, dwHighDateTime=0x1d5f971)) [0049.491] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.491] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.491] GetProcessHeap () returned 0xbc0000 [0049.491] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.491] GetSystemDefaultLangID () returned 0xbd0409 [0049.491] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.491] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.491] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.491] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.491] GetProcessHeap () returned 0xbc0000 [0049.491] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.491] CloseHandle (hObject=0x264) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681488 | out: hHeap=0x2680000) returned 1 [0049.492] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.492] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate1.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate1.ico.nefilim")) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.492] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate2.ico", cAlternateFileName="")) returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2=".") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="..") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="...") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="windows") returned -1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="rsa") returned -1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="NTDETECT.COM") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="ntldr") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="MSDOS.SYS") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="IO.SYS") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="boot.ini") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="ntuser.dat") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="desktop.ini") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="CONFIG.SYS") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="RECYCLER") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="bootmgr") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="programdata") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="appdata") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="program files") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="program files (x86)") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="microsoft") returned 1 [0049.493] lstrcmpiW (lpString1="Rotate2.ico", lpString2="sophos") returned -1 [0049.493] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.493] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.493] PathFindExtensionW (pszPath="Rotate2.ico") returned=".ico" [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.493] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.494] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.494] lstrcmpiW (lpString1="Rotate2.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.494] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.494] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.494] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.494] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.494] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.495] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.495] GetTickCount () returned 0x114dd80 [0049.495] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.495] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.495] SetLastError (dwErrCode=0x0) [0049.495] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.497] GetLastError () returned 0x0 [0049.497] GetLastError () returned 0x0 [0049.497] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.497] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.497] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.497] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x187e213f, dwHighDateTime=0x1d5f971)) [0049.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.497] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.497] GetProcessHeap () returned 0xbc0000 [0049.497] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.497] GetSystemDefaultLangID () returned 0xbd0409 [0049.497] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.497] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.497] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.498] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.498] GetProcessHeap () returned 0xbc0000 [0049.498] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.498] CloseHandle (hObject=0x264) returned 1 [0049.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.498] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate2.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate2.ico.nefilim")) returned 1 [0049.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.499] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate3.ico", cAlternateFileName="")) returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2=".") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="..") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="...") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="windows") returned -1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="rsa") returned -1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="NTDETECT.COM") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="ntldr") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="MSDOS.SYS") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="IO.SYS") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="boot.ini") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="ntuser.dat") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="desktop.ini") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="CONFIG.SYS") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="RECYCLER") returned 1 [0049.499] lstrcmpiW (lpString1="Rotate3.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="bootmgr") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="programdata") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="appdata") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="program files") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="program files (x86)") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="microsoft") returned 1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="sophos") returned -1 [0049.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.500] PathFindExtensionW (pszPath="Rotate3.ico") returned=".ico" [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.500] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.500] lstrcmpiW (lpString1="Rotate3.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.500] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.501] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.501] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.501] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.501] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.501] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.501] GetTickCount () returned 0x114dd80 [0049.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.501] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.501] SetLastError (dwErrCode=0x0) [0049.501] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.504] GetLastError () returned 0x0 [0049.504] GetLastError () returned 0x0 [0049.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.504] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.504] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188082ed, dwHighDateTime=0x1d5f971)) [0049.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.504] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.504] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.504] GetProcessHeap () returned 0xbc0000 [0049.504] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.504] GetSystemDefaultLangID () returned 0xbd0409 [0049.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.504] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.504] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.504] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.504] GetProcessHeap () returned 0xbc0000 [0049.504] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.505] CloseHandle (hObject=0x264) returned 1 [0049.505] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.505] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.505] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.505] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.505] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate3.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate3.ico.nefilim")) returned 1 [0049.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.506] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate4.ico", cAlternateFileName="")) returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2=".") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="..") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="...") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="windows") returned -1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="rsa") returned -1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="NTDETECT.COM") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="ntldr") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="MSDOS.SYS") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="IO.SYS") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="boot.ini") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="ntuser.dat") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="desktop.ini") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="CONFIG.SYS") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="RECYCLER") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="bootmgr") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="programdata") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="appdata") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="program files") returned 1 [0049.506] lstrcmpiW (lpString1="Rotate4.ico", lpString2="program files (x86)") returned 1 [0049.507] lstrcmpiW (lpString1="Rotate4.ico", lpString2="microsoft") returned 1 [0049.507] lstrcmpiW (lpString1="Rotate4.ico", lpString2="sophos") returned -1 [0049.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.507] PathFindExtensionW (pszPath="Rotate4.ico") returned=".ico" [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.507] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.507] lstrcmpiW (lpString1="Rotate4.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.507] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.508] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.508] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.508] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.508] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.508] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.509] GetTickCount () returned 0x114dd90 [0049.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.509] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.509] SetLastError (dwErrCode=0x0) [0049.509] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.511] GetLastError () returned 0x0 [0049.511] GetLastError () returned 0x0 [0049.511] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.511] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.512] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.512] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188082ed, dwHighDateTime=0x1d5f971)) [0049.512] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.512] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.512] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.512] GetProcessHeap () returned 0xbc0000 [0049.512] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.512] GetSystemDefaultLangID () returned 0xbd0409 [0049.512] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.512] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.512] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.512] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.512] GetProcessHeap () returned 0xbc0000 [0049.512] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.512] CloseHandle (hObject=0x264) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.513] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.513] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate4.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate4.ico.nefilim")) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.513] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate5.ico", cAlternateFileName="")) returned 1 [0049.513] lstrcmpiW (lpString1="Rotate5.ico", lpString2=".") returned 1 [0049.513] lstrcmpiW (lpString1="Rotate5.ico", lpString2="..") returned 1 [0049.513] lstrcmpiW (lpString1="Rotate5.ico", lpString2="...") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="windows") returned -1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="rsa") returned -1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="NTDETECT.COM") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="ntldr") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="MSDOS.SYS") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="IO.SYS") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="boot.ini") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="ntuser.dat") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="desktop.ini") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="CONFIG.SYS") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="RECYCLER") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="bootmgr") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="programdata") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="appdata") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="program files") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="program files (x86)") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="microsoft") returned 1 [0049.514] lstrcmpiW (lpString1="Rotate5.ico", lpString2="sophos") returned -1 [0049.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.514] PathFindExtensionW (pszPath="Rotate5.ico") returned=".ico" [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.514] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.515] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.515] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.515] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.515] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.515] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.515] lstrcmpiW (lpString1="Rotate5.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.515] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.515] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.515] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.515] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.515] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.515] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.516] GetTickCount () returned 0x114dd90 [0049.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.516] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.516] SetLastError (dwErrCode=0x0) [0049.516] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.517] GetLastError () returned 0x0 [0049.517] GetLastError () returned 0x0 [0049.518] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.518] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.518] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.518] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188082ed, dwHighDateTime=0x1d5f971)) [0049.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.518] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.518] GetProcessHeap () returned 0xbc0000 [0049.518] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.518] GetSystemDefaultLangID () returned 0xbd0409 [0049.518] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.518] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.518] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.518] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.518] GetProcessHeap () returned 0xbc0000 [0049.518] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.518] CloseHandle (hObject=0x264) returned 1 [0049.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.519] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate5.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate5.ico.nefilim")) returned 1 [0049.520] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.520] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.520] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate6.ico", cAlternateFileName="")) returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2=".") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="..") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="...") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="windows") returned -1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="rsa") returned -1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="NTDETECT.COM") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="ntldr") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="MSDOS.SYS") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="IO.SYS") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="boot.ini") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="ntuser.dat") returned 1 [0049.520] lstrcmpiW (lpString1="Rotate6.ico", lpString2="desktop.ini") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="CONFIG.SYS") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="RECYCLER") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="bootmgr") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="programdata") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="appdata") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="program files") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="program files (x86)") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="microsoft") returned 1 [0049.521] lstrcmpiW (lpString1="Rotate6.ico", lpString2="sophos") returned -1 [0049.521] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.521] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.521] PathFindExtensionW (pszPath="Rotate6.ico") returned=".ico" [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.521] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.522] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.522] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.522] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.522] lstrcmpiW (lpString1="Rotate6.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.522] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.522] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.522] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.522] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.522] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.522] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.523] GetTickCount () returned 0x114dd9f [0049.523] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.523] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.523] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.523] SetLastError (dwErrCode=0x0) [0049.523] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.573] GetLastError () returned 0x0 [0049.573] GetLastError () returned 0x0 [0049.573] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.573] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.573] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.573] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188a0c58, dwHighDateTime=0x1d5f971)) [0049.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.573] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.573] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.573] GetProcessHeap () returned 0xbc0000 [0049.573] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.573] GetSystemDefaultLangID () returned 0xbd0409 [0049.573] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.573] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.574] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.574] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.574] GetProcessHeap () returned 0xbc0000 [0049.574] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.574] CloseHandle (hObject=0x264) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.575] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.575] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate6.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate6.ico.nefilim")) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.575] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.575] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate7.ico", cAlternateFileName="")) returned 1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2=".") returned 1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="..") returned 1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="...") returned 1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="windows") returned -1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="rsa") returned -1 [0049.575] lstrcmpiW (lpString1="Rotate7.ico", lpString2="NTDETECT.COM") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="ntldr") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="MSDOS.SYS") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="IO.SYS") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="boot.ini") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="ntuser.dat") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="desktop.ini") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="CONFIG.SYS") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="RECYCLER") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="bootmgr") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="programdata") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="appdata") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="program files") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="program files (x86)") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="microsoft") returned 1 [0049.576] lstrcmpiW (lpString1="Rotate7.ico", lpString2="sophos") returned -1 [0049.576] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.576] PathFindExtensionW (pszPath="Rotate7.ico") returned=".ico" [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.576] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.577] lstrcmpiW (lpString1="Rotate7.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.577] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.577] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.577] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.577] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.577] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.577] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.577] GetTickCount () returned 0x114ddce [0049.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.578] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.578] SetLastError (dwErrCode=0x0) [0049.578] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.581] GetLastError () returned 0x0 [0049.581] GetLastError () returned 0x0 [0049.581] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.582] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.582] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.582] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188a0c58, dwHighDateTime=0x1d5f971)) [0049.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.582] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.582] GetProcessHeap () returned 0xbc0000 [0049.582] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.582] GetSystemDefaultLangID () returned 0xbd0409 [0049.582] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.582] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.583] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.583] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.583] GetProcessHeap () returned 0xbc0000 [0049.583] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.583] CloseHandle (hObject=0x264) returned 1 [0049.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.584] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate7.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate7.ico.nefilim")) returned 1 [0049.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.584] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x37e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Rotate8.ico", cAlternateFileName="")) returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2=".") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="..") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="...") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="windows") returned -1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="rsa") returned -1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="NTDETECT.COM") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="ntldr") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="MSDOS.SYS") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="IO.SYS") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="boot.ini") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="ntuser.dat") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="desktop.ini") returned 1 [0049.584] lstrcmpiW (lpString1="Rotate8.ico", lpString2="CONFIG.SYS") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="RECYCLER") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="bootmgr") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="programdata") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="appdata") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="program files") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="program files (x86)") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="microsoft") returned 1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="sophos") returned -1 [0049.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.585] PathFindExtensionW (pszPath="Rotate8.ico") returned=".ico" [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.585] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.585] lstrcmpiW (lpString1="Rotate8.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.585] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.588] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=894) returned 1 [0049.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.588] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.588] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.588] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.588] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.589] GetTickCount () returned 0x114ddde [0049.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.589] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.589] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.589] SetLastError (dwErrCode=0x0) [0049.589] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.596] GetLastError () returned 0x0 [0049.596] GetLastError () returned 0x0 [0049.596] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.596] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.596] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.596] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x188c6f59, dwHighDateTime=0x1d5f971)) [0049.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.596] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.596] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.596] GetProcessHeap () returned 0xbc0000 [0049.596] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x37e) returned 0xbeb608 [0049.596] GetSystemDefaultLangID () returned 0xbd0409 [0049.596] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.596] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x37e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x37e, lpOverlapped=0x0) returned 1 [0049.596] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.596] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x37e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x37e, lpOverlapped=0x0) returned 1 [0049.596] GetProcessHeap () returned 0xbc0000 [0049.596] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.596] CloseHandle (hObject=0x264) returned 1 [0049.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.597] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.597] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Rotate8.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\rotate8.ico.nefilim")) returned 1 [0049.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.598] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Save.ico", cAlternateFileName="")) returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2=".") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="..") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="...") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="windows") returned -1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="rsa") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="NTDETECT.COM") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="ntldr") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="MSDOS.SYS") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="IO.SYS") returned 1 [0049.598] lstrcmpiW (lpString1="Save.ico", lpString2="boot.ini") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="ntuser.dat") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="desktop.ini") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="CONFIG.SYS") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="RECYCLER") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="bootmgr") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="programdata") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="appdata") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="program files") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="program files (x86)") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="microsoft") returned 1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="sophos") returned -1 [0049.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681470 [0049.599] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.599] PathFindExtensionW (pszPath="Save.ico") returned=".ico" [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.599] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.599] lstrcmpiW (lpString1="Save.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.599] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.600] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=1150) returned 1 [0049.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814c8 [0049.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814e0 [0049.600] SystemFunction036 (in: RandomBuffer=0x26814c8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814c8) returned 1 [0049.600] SystemFunction036 (in: RandomBuffer=0x26814e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814e0) returned 1 [0049.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.600] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.600] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.600] GetTickCount () returned 0x114ddee [0049.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814f8 [0049.600] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f8 | out: hHeap=0x2680000) returned 1 [0049.601] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.601] SetLastError (dwErrCode=0x0) [0049.601] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.646] GetLastError () returned 0x0 [0049.646] GetLastError () returned 0x0 [0049.646] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.646] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.646] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.646] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x1895f90f, dwHighDateTime=0x1d5f971)) [0049.646] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814f8 [0049.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f8 | out: hHeap=0x2680000) returned 1 [0049.646] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.646] GetProcessHeap () returned 0xbc0000 [0049.646] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x47e) returned 0xbeb608 [0049.646] GetSystemDefaultLangID () returned 0xbd0409 [0049.646] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.646] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x47e, lpOverlapped=0x0) returned 1 [0049.646] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.646] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x47e, lpOverlapped=0x0) returned 1 [0049.646] GetProcessHeap () returned 0xbc0000 [0049.646] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.646] CloseHandle (hObject=0x264) returned 1 [0049.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e0 | out: hHeap=0x2680000) returned 1 [0049.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814c8 [0049.647] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Save.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\save.ico.nefilim")) returned 1 [0049.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.648] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x8f66, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="Setup.ico", cAlternateFileName="")) returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2=".") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="..") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="...") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="windows") returned -1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="rsa") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="NTDETECT.COM") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="ntldr") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="MSDOS.SYS") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="IO.SYS") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="boot.ini") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="ntuser.dat") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="desktop.ini") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="CONFIG.SYS") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="RECYCLER") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="bootmgr") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="programdata") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="appdata") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="program files") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="program files (x86)") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="microsoft") returned 1 [0049.648] lstrcmpiW (lpString1="Setup.ico", lpString2="sophos") returned -1 [0049.649] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.649] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.649] PathFindExtensionW (pszPath="Setup.ico") returned=".ico" [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.649] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.649] lstrcmpiW (lpString1="Setup.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.649] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.649] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.649] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=36710) returned 1 [0049.649] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.650] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.650] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.650] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.650] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.650] GetTickCount () returned 0x114de1c [0049.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.650] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.650] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x8f66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.650] SetLastError (dwErrCode=0x0) [0049.650] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.692] GetLastError () returned 0x0 [0049.692] GetLastError () returned 0x0 [0049.692] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9066, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.692] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.692] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x9166, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.692] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x189d2035, dwHighDateTime=0x1d5f971)) [0049.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.692] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.692] GetProcessHeap () returned 0xbc0000 [0049.692] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8f66) returned 0xbeb608 [0049.693] GetSystemDefaultLangID () returned 0xbd0409 [0049.693] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.693] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x8f66, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x8f66, lpOverlapped=0x0) returned 1 [0049.695] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.695] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x8f66, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x8f66, lpOverlapped=0x0) returned 1 [0049.696] GetProcessHeap () returned 0xbc0000 [0049.696] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.697] CloseHandle (hObject=0x264) returned 1 [0049.698] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.698] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.698] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.698] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.698] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.698] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\Setup.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\setup.ico.nefilim")) returned 1 [0049.699] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.699] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.699] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b5e7f00, ftCreationTime.dwHighDateTime=0x1ca927c, ftLastAccessTime.dwLowDateTime=0x5b5e7f00, ftLastAccessTime.dwHighDateTime=0x1ca927c, ftLastWriteTime.dwLowDateTime=0x5b5e7f00, ftLastWriteTime.dwHighDateTime=0x1ca927c, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="stop.ico", cAlternateFileName="")) returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2=".") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="..") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="...") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="windows") returned -1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="rsa") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="NTDETECT.COM") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="ntldr") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="MSDOS.SYS") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="IO.SYS") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="boot.ini") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.699] lstrcmpiW (lpString1="stop.ico", lpString2="ntuser.dat") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="desktop.ini") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="CONFIG.SYS") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="RECYCLER") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="bootmgr") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="programdata") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="appdata") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="program files") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="program files (x86)") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="microsoft") returned 1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="sophos") returned 1 [0049.700] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681470 [0049.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.700] PathFindExtensionW (pszPath="stop.ico") returned=".ico" [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.700] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.700] lstrcmpiW (lpString1="stop.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.700] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.700] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.701] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=10134) returned 1 [0049.701] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814c8 [0049.701] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814e0 [0049.701] SystemFunction036 (in: RandomBuffer=0x26814c8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814c8) returned 1 [0049.701] SystemFunction036 (in: RandomBuffer=0x26814e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814e0) returned 1 [0049.701] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.701] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.701] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.702] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.702] GetTickCount () returned 0x114de4b [0049.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814f8 [0049.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f8 | out: hHeap=0x2680000) returned 1 [0049.702] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2796, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.702] SetLastError (dwErrCode=0x0) [0049.703] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.770] GetLastError () returned 0x0 [0049.770] GetLastError () returned 0x0 [0049.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2896, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.770] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2996, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.770] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18a90c52, dwHighDateTime=0x1d5f971)) [0049.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814f8 [0049.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f8 | out: hHeap=0x2680000) returned 1 [0049.770] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.770] GetProcessHeap () returned 0xbc0000 [0049.770] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2796) returned 0xbeb608 [0049.770] GetSystemDefaultLangID () returned 0xbd0409 [0049.770] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.770] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x2796, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x2796, lpOverlapped=0x0) returned 1 [0049.772] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.772] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x2796, lpOverlapped=0x0) returned 1 [0049.772] GetProcessHeap () returned 0xbc0000 [0049.772] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.772] CloseHandle (hObject=0x264) returned 1 [0049.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e0 | out: hHeap=0x2680000) returned 1 [0049.773] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814c8 [0049.773] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\stop.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\stop.ico.nefilim")) returned 1 [0049.774] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0049.774] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.774] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="SysReqMet.ico", cAlternateFileName="SYSREQ~1.ICO")) returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2=".") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="..") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="...") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="windows") returned -1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="rsa") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="NTDETECT.COM") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="ntldr") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="MSDOS.SYS") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="IO.SYS") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="boot.ini") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="ntuser.dat") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="desktop.ini") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="CONFIG.SYS") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="RECYCLER") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="bootmgr") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="programdata") returned 1 [0049.774] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="appdata") returned 1 [0049.775] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="program files") returned 1 [0049.775] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="program files (x86)") returned 1 [0049.775] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="microsoft") returned 1 [0049.775] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="sophos") returned 1 [0049.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.775] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.775] PathFindExtensionW (pszPath="SysReqMet.ico") returned=".ico" [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.775] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.775] lstrcmpiW (lpString1="SysReqMet.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.775] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.776] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=1150) returned 1 [0049.776] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.776] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.776] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.776] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.776] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.776] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.776] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.776] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.777] GetTickCount () returned 0x114de99 [0049.777] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.777] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.777] SetLastError (dwErrCode=0x0) [0049.777] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.779] GetLastError () returned 0x0 [0049.779] GetLastError () returned 0x0 [0049.779] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.779] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.779] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.779] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18a90c52, dwHighDateTime=0x1d5f971)) [0049.779] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.779] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.779] GetProcessHeap () returned 0xbc0000 [0049.779] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x47e) returned 0xbeb608 [0049.779] GetSystemDefaultLangID () returned 0xbd0409 [0049.779] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.779] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x47e, lpOverlapped=0x0) returned 1 [0049.779] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.779] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x47e, lpOverlapped=0x0) returned 1 [0049.779] GetProcessHeap () returned 0xbc0000 [0049.779] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.779] CloseHandle (hObject=0x264) returned 1 [0049.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.780] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqMet.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqmet.ico.nefilim")) returned 1 [0049.781] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.781] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.781] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x47e, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="SysReqNotMet.ico", cAlternateFileName="SYSREQ~2.ICO")) returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2=".") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="..") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="...") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="windows") returned -1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="rsa") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="NTDETECT.COM") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="ntldr") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="MSDOS.SYS") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="IO.SYS") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="boot.ini") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="ntuser.dat") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="desktop.ini") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="CONFIG.SYS") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="RECYCLER") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.781] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="bootmgr") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="programdata") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="appdata") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="program files") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="program files (x86)") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="microsoft") returned 1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="sophos") returned 1 [0049.782] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681470 [0049.782] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.782] PathFindExtensionW (pszPath="SysReqNotMet.ico") returned=".ico" [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.782] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.782] lstrcmpiW (lpString1="SysReqNotMet.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.782] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681408 [0049.782] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.783] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=1150) returned 1 [0049.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d8 [0049.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0049.783] SystemFunction036 (in: RandomBuffer=0x26814d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d8) returned 1 [0049.783] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0049.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.783] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.783] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.783] GetTickCount () returned 0x114de99 [0049.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681508 [0049.783] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0049.783] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.784] SetLastError (dwErrCode=0x0) [0049.784] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.785] GetLastError () returned 0x0 [0049.785] GetLastError () returned 0x0 [0049.785] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x57e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.786] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.786] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x67e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.786] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18ab6d39, dwHighDateTime=0x1d5f971)) [0049.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26821d8 [0049.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0049.786] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.786] GetProcessHeap () returned 0xbc0000 [0049.786] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x47e) returned 0xbeb608 [0049.786] GetSystemDefaultLangID () returned 0xbd0409 [0049.786] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.786] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x47e, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x47e, lpOverlapped=0x0) returned 1 [0049.786] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.786] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x47e, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x47e, lpOverlapped=0x0) returned 1 [0049.786] GetProcessHeap () returned 0xbc0000 [0049.786] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.786] CloseHandle (hObject=0x264) returned 1 [0049.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0049.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0049.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681fc8 [0049.787] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\SysReqNotMet.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\sysreqnotmet.ico.nefilim")) returned 1 [0049.788] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.788] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.788] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="warn.ico", cAlternateFileName="")) returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2=".") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="..") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="...") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="windows") returned -1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="$RECYCLE.BIN") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="rsa") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="NTDETECT.COM") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="ntldr") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="MSDOS.SYS") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="IO.SYS") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="boot.ini") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="AUTOEXEC.BAT") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="ntuser.dat") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="desktop.ini") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="CONFIG.SYS") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="RECYCLER") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="BOOTSECT.BAK") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="bootmgr") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="programdata") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="appdata") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="program files") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="program files (x86)") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="microsoft") returned 1 [0049.788] lstrcmpiW (lpString1="warn.ico", lpString2="sophos") returned 1 [0049.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681408 [0049.788] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681470 | out: hHeap=0x2680000) returned 1 [0049.788] PathFindExtensionW (pszPath="warn.ico") returned=".ico" [0049.788] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0049.788] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0049.788] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0049.788] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0049.788] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0049.789] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0049.789] lstrcmpiW (lpString1="warn.ico", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681460 [0049.789] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x264 [0049.789] GetFileSizeEx (in: hFile=0x264, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=10134) returned 1 [0049.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814b8 [0049.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814d0 [0049.789] SystemFunction036 (in: RandomBuffer=0x26814b8, RandomBufferLength=0x10 | out: RandomBuffer=0x26814b8) returned 1 [0049.789] SystemFunction036 (in: RandomBuffer=0x26814d0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814d0) returned 1 [0049.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0049.789] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0049.790] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0049.790] GetTickCount () returned 0x114dea9 [0049.790] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814e8 [0049.790] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e8 | out: hHeap=0x2680000) returned 1 [0049.790] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2796, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.790] SetLastError (dwErrCode=0x0) [0049.790] WriteFile (in: hFile=0x264, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.792] GetLastError () returned 0x0 [0049.792] GetLastError () returned 0x0 [0049.792] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2896, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.792] WriteFile (in: hFile=0x264, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0049.792] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x2996, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.792] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x18ab6d39, dwHighDateTime=0x1d5f971)) [0049.792] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814e8 [0049.792] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814e8 | out: hHeap=0x2680000) returned 1 [0049.792] WriteFile (in: hFile=0x264, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0049.792] GetProcessHeap () returned 0xbc0000 [0049.792] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2796) returned 0xbeb608 [0049.792] GetSystemDefaultLangID () returned 0xbd0409 [0049.792] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.792] ReadFile (in: hFile=0x264, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x2796, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bee3c*=0x2796, lpOverlapped=0x0) returned 1 [0049.794] SetFilePointerEx (in: hFile=0x264, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.794] WriteFile (in: hFile=0x264, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x2796, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bee30*=0x2796, lpOverlapped=0x0) returned 1 [0049.794] GetProcessHeap () returned 0xbc0000 [0049.794] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.794] CloseHandle (hObject=0x264) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d0 | out: hHeap=0x2680000) returned 1 [0049.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26814b8 [0049.795] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico"), lpNewFileName="C:\\588bce7c90097ed212\\Graphics\\warn.ico.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\graphics\\warn.ico.nefilim")) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681460 | out: hHeap=0x2680000) returned 1 [0049.795] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xbd82ba00, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xbd82ba00, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xbd82ba00, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x2796, dwReserved0=0x2681330, dwReserved1=0x80, cFileName="warn.ico", cAlternateFileName="")) returned 0 [0049.795] FindClose (in: hFindFile=0xbe2848 | out: hFindFile=0xbe2848) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.795] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0xe2c, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="header.bmp", cAlternateFileName="")) returned 1 [0049.795] lstrcmpiW (lpString1="header.bmp", lpString2=".") returned 1 [0049.795] lstrcmpiW (lpString1="header.bmp", lpString2="..") returned 1 [0049.795] lstrcmpiW (lpString1="header.bmp", lpString2="...") returned 1 [0049.795] lstrcmpiW (lpString1="header.bmp", lpString2="windows") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="$RECYCLE.BIN") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="rsa") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="NTDETECT.COM") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="ntldr") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="MSDOS.SYS") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="IO.SYS") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="boot.ini") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="ntuser.dat") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="desktop.ini") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="CONFIG.SYS") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="RECYCLER") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="BOOTSECT.BAK") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="bootmgr") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="programdata") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="appdata") returned 1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="program files") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="program files (x86)") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="microsoft") returned -1 [0049.796] lstrcmpiW (lpString1="header.bmp", lpString2="sophos") returned -1 [0049.796] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26813c0 [0049.796] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0049.796] PathFindExtensionW (pszPath="header.bmp") returned=".bmp" [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0049.796] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0049.797] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0049.797] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0049.797] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0049.797] lstrcmpiW (lpString1="header.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0049.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0049.797] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0049.798] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=3628) returned 1 [0049.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681388 [0049.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813a0 [0049.798] SystemFunction036 (in: RandomBuffer=0x2681388, RandomBufferLength=0x10 | out: RandomBuffer=0x2681388) returned 1 [0049.798] SystemFunction036 (in: RandomBuffer=0x26813a0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813a0) returned 1 [0049.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681418 [0049.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.798] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681418*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681418*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0049.800] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0049.802] GetTickCount () returned 0x114deb9 [0049.802] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0049.802] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.802] SetLastError (dwErrCode=0x0) [0049.802] WriteFile (in: hFile=0x260, lpBuffer=0x2681418*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681418*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.804] GetLastError () returned 0x0 [0049.804] GetLastError () returned 0x0 [0049.804] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.805] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.805] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x102c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.805] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x18adcfb1, dwHighDateTime=0x1d5f971)) [0049.805] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0049.805] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.805] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0049.805] GetProcessHeap () returned 0xbc0000 [0049.805] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe2c) returned 0xbe85e8 [0049.805] GetSystemDefaultLangID () returned 0xbd0409 [0049.805] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.805] ReadFile (in: hFile=0x260, lpBuffer=0xbe85e8, nNumberOfBytesToRead=0xe2c, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbe85e8*, lpNumberOfBytesRead=0x25bf15c*=0xe2c, lpOverlapped=0x0) returned 1 [0049.805] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.805] WriteFile (in: hFile=0x260, lpBuffer=0xbe85e8*, nNumberOfBytesToWrite=0xe2c, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbe85e8*, lpNumberOfBytesWritten=0x25bf150*=0xe2c, lpOverlapped=0x0) returned 1 [0049.806] GetProcessHeap () returned 0xbc0000 [0049.806] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe85e8 | out: hHeap=0xbc0000) returned 1 [0049.806] CloseHandle (hObject=0x260) returned 1 [0049.806] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681418 | out: hHeap=0x2680000) returned 1 [0049.806] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0049.806] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0049.806] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a0 | out: hHeap=0x2680000) returned 1 [0049.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681418 [0049.806] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\header.bmp" (normalized: "c:\\588bce7c90097ed212\\header.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\header.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\header.bmp.nefilim")) returned 1 [0049.807] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681418 | out: hHeap=0x2680000) returned 1 [0049.807] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0049.807] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x66ea7e00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0x66ea7e00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0x66ea7e00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0xad1384b, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Core.mzz", cAlternateFileName="NETFX_~1.MZZ")) returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2=".") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="..") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="...") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="windows") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="$RECYCLE.BIN") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="rsa") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="NTDETECT.COM") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="ntldr") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="MSDOS.SYS") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="IO.SYS") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="boot.ini") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="AUTOEXEC.BAT") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="ntuser.dat") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="desktop.ini") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="CONFIG.SYS") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="RECYCLER") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="BOOTSECT.BAK") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="bootmgr") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="programdata") returned -1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="appdata") returned 1 [0049.807] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="program files") returned -1 [0049.808] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="program files (x86)") returned -1 [0049.808] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="microsoft") returned 1 [0049.808] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="sophos") returned -1 [0049.808] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0049.808] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813c0 | out: hHeap=0x2680000) returned 1 [0049.808] PathFindExtensionW (pszPath="netfx_Core.mzz") returned=".mzz" [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".exe") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".log") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".cab") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".cmd") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".com") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".cpl") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".ini") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".dll") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".url") returned -1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".ttf") returned -1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".mp3") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".pif") returned -1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".mp4") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".NEFILIM") returned -1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".msi") returned 1 [0049.808] lstrcmpiW (lpString1=".mzz", lpString2=".lnk") returned 1 [0049.808] lstrcmpiW (lpString1="netfx_Core.mzz", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0049.808] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0049.808] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0049.904] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=181483595) returned 1 [0049.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0049.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0049.904] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0049.904] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0049.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0049.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0049.905] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0049.907] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0049.909] GetTickCount () returned 0x114df16 [0049.909] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0049.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.909] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad1384b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.909] SetLastError (dwErrCode=0x0) [0049.909] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.926] GetLastError () returned 0x0 [0049.926] GetLastError () returned 0x0 [0049.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad1394b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.926] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0049.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xad13a4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.926] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x18c0e2ba, dwHighDateTime=0x1d5f971)) [0049.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0049.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0049.926] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0049.927] GetProcessHeap () returned 0xbc0000 [0049.927] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0049.927] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.927] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0049.939] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.939] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0049.939] GetProcessHeap () returned 0xbc0000 [0049.939] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.939] GetProcessHeap () returned 0xbc0000 [0049.939] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0049.940] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.940] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0049.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.948] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0049.948] GetProcessHeap () returned 0xbc0000 [0049.948] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.948] GetProcessHeap () returned 0xbc0000 [0049.948] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0049.948] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.948] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0049.992] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.993] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0049.993] GetProcessHeap () returned 0xbc0000 [0049.993] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0049.993] GetProcessHeap () returned 0xbc0000 [0049.993] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0049.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0049.993] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.001] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.001] GetProcessHeap () returned 0xbc0000 [0050.001] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.001] GetProcessHeap () returned 0xbc0000 [0050.001] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.001] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.064] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.064] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.065] GetProcessHeap () returned 0xbc0000 [0050.065] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.065] GetProcessHeap () returned 0xbc0000 [0050.065] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.065] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.073] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.073] GetProcessHeap () returned 0xbc0000 [0050.073] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.073] GetProcessHeap () returned 0xbc0000 [0050.073] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.073] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.081] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.081] GetProcessHeap () returned 0xbc0000 [0050.081] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.081] GetProcessHeap () returned 0xbc0000 [0050.081] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.081] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.139] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.139] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.139] GetProcessHeap () returned 0xbc0000 [0050.140] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.140] GetProcessHeap () returned 0xbc0000 [0050.140] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.140] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.140] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.214] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.290] GetProcessHeap () returned 0xbc0000 [0050.290] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.290] GetProcessHeap () returned 0xbc0000 [0050.290] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.290] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.290] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.296] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.296] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.297] GetProcessHeap () returned 0xbc0000 [0050.297] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.297] GetProcessHeap () returned 0xbc0000 [0050.297] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.297] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.297] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.403] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.404] GetProcessHeap () returned 0xbc0000 [0050.404] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.404] GetProcessHeap () returned 0xbc0000 [0050.404] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.404] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.404] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.411] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.411] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.412] GetProcessHeap () returned 0xbc0000 [0050.412] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.412] GetProcessHeap () returned 0xbc0000 [0050.412] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.412] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.412] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.419] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.419] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.420] GetProcessHeap () returned 0xbc0000 [0050.420] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.420] GetProcessHeap () returned 0xbc0000 [0050.420] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.420] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.420] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.470] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.470] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.470] GetProcessHeap () returned 0xbc0000 [0050.470] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.470] GetProcessHeap () returned 0xbc0000 [0050.470] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.470] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.470] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.478] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.478] GetProcessHeap () returned 0xbc0000 [0050.478] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.478] GetProcessHeap () returned 0xbc0000 [0050.478] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.478] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.490] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.490] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.490] GetProcessHeap () returned 0xbc0000 [0050.490] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.491] GetProcessHeap () returned 0xbc0000 [0050.491] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.491] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.491] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.498] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.498] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.498] GetProcessHeap () returned 0xbc0000 [0050.498] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.498] GetProcessHeap () returned 0xbc0000 [0050.498] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.498] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.498] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.512] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.512] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.512] GetProcessHeap () returned 0xbc0000 [0050.512] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.512] GetProcessHeap () returned 0xbc0000 [0050.512] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.512] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.512] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.519] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.520] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.521] GetProcessHeap () returned 0xbc0000 [0050.521] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.521] GetProcessHeap () returned 0xbc0000 [0050.521] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.521] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.521] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.533] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.533] GetProcessHeap () returned 0xbc0000 [0050.533] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.533] GetProcessHeap () returned 0xbc0000 [0050.533] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.533] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.533] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.552] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.552] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.553] GetProcessHeap () returned 0xbc0000 [0050.553] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.553] GetProcessHeap () returned 0xbc0000 [0050.553] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.553] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.553] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.571] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.571] GetProcessHeap () returned 0xbc0000 [0050.571] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.571] GetProcessHeap () returned 0xbc0000 [0050.571] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.571] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.579] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.579] GetProcessHeap () returned 0xbc0000 [0050.579] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.579] GetProcessHeap () returned 0xbc0000 [0050.579] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.579] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.590] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.590] GetProcessHeap () returned 0xbc0000 [0050.590] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.590] GetProcessHeap () returned 0xbc0000 [0050.590] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.590] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.590] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.599] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.600] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.600] GetProcessHeap () returned 0xbc0000 [0050.600] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.600] GetProcessHeap () returned 0xbc0000 [0050.600] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.600] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.600] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.621] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.621] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.622] GetProcessHeap () returned 0xbc0000 [0050.622] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.622] GetProcessHeap () returned 0xbc0000 [0050.622] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.622] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.634] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.635] GetProcessHeap () returned 0xbc0000 [0050.635] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.635] GetProcessHeap () returned 0xbc0000 [0050.635] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.635] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.635] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.642] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.642] GetProcessHeap () returned 0xbc0000 [0050.642] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.642] GetProcessHeap () returned 0xbc0000 [0050.642] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.643] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.650] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.651] GetProcessHeap () returned 0xbc0000 [0050.651] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.651] GetProcessHeap () returned 0xbc0000 [0050.651] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.651] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.685] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.685] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.686] GetProcessHeap () returned 0xbc0000 [0050.686] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.686] GetProcessHeap () returned 0xbc0000 [0050.686] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.686] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.686] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.711] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.711] GetProcessHeap () returned 0xbc0000 [0050.711] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.711] GetProcessHeap () returned 0xbc0000 [0050.711] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.711] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.718] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.718] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.718] GetProcessHeap () returned 0xbc0000 [0050.718] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.718] GetProcessHeap () returned 0xbc0000 [0050.718] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.718] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.718] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.726] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.726] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.726] GetProcessHeap () returned 0xbc0000 [0050.726] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.726] GetProcessHeap () returned 0xbc0000 [0050.726] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.726] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.726] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.733] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.733] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.734] GetProcessHeap () returned 0xbc0000 [0050.734] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.734] GetProcessHeap () returned 0xbc0000 [0050.734] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.734] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.763] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.763] GetProcessHeap () returned 0xbc0000 [0050.763] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.763] GetProcessHeap () returned 0xbc0000 [0050.763] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.763] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.795] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.795] GetProcessHeap () returned 0xbc0000 [0050.795] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.795] GetProcessHeap () returned 0xbc0000 [0050.795] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.795] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.812] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.812] GetProcessHeap () returned 0xbc0000 [0050.812] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.812] GetProcessHeap () returned 0xbc0000 [0050.812] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.812] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.812] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.819] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.819] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.820] GetProcessHeap () returned 0xbc0000 [0050.820] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.820] GetProcessHeap () returned 0xbc0000 [0050.820] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.820] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.820] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.848] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.849] GetProcessHeap () returned 0xbc0000 [0050.849] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.849] GetProcessHeap () returned 0xbc0000 [0050.849] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.849] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.849] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.859] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.859] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.860] GetProcessHeap () returned 0xbc0000 [0050.860] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.860] GetProcessHeap () returned 0xbc0000 [0050.860] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.860] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.860] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.867] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.867] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.868] GetProcessHeap () returned 0xbc0000 [0050.868] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.868] GetProcessHeap () returned 0xbc0000 [0050.868] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.868] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.868] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.875] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.875] GetProcessHeap () returned 0xbc0000 [0050.875] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.875] GetProcessHeap () returned 0xbc0000 [0050.875] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.875] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.892] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.892] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.892] GetProcessHeap () returned 0xbc0000 [0050.892] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.892] GetProcessHeap () returned 0xbc0000 [0050.892] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.892] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.892] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.900] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.900] GetProcessHeap () returned 0xbc0000 [0050.900] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.900] GetProcessHeap () returned 0xbc0000 [0050.900] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.900] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.915] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.915] GetProcessHeap () returned 0xbc0000 [0050.915] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.916] GetProcessHeap () returned 0xbc0000 [0050.916] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.916] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.916] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.923] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.923] GetProcessHeap () returned 0xbc0000 [0050.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.923] GetProcessHeap () returned 0xbc0000 [0050.923] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.923] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.937] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.937] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.938] GetProcessHeap () returned 0xbc0000 [0050.938] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.938] GetProcessHeap () returned 0xbc0000 [0050.938] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.938] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.938] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.946] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.946] GetProcessHeap () returned 0xbc0000 [0050.946] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.946] GetProcessHeap () returned 0xbc0000 [0050.946] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.947] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.962] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.962] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.962] GetProcessHeap () returned 0xbc0000 [0050.962] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.962] GetProcessHeap () returned 0xbc0000 [0050.963] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.963] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.970] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.970] GetProcessHeap () returned 0xbc0000 [0050.971] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.971] GetProcessHeap () returned 0xbc0000 [0050.971] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.971] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0050.995] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.995] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0050.996] GetProcessHeap () returned 0xbc0000 [0050.996] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0050.996] GetProcessHeap () returned 0xbc0000 [0050.996] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0050.996] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0050.997] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.006] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.006] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.007] GetProcessHeap () returned 0xbc0000 [0051.007] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.007] GetProcessHeap () returned 0xbc0000 [0051.007] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.007] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.007] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.014] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.014] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.015] GetProcessHeap () returned 0xbc0000 [0051.015] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.015] GetProcessHeap () returned 0xbc0000 [0051.015] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.015] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.015] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.025] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.025] GetProcessHeap () returned 0xbc0000 [0051.025] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.025] GetProcessHeap () returned 0xbc0000 [0051.026] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.026] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.026] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.033] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.033] GetProcessHeap () returned 0xbc0000 [0051.033] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.033] GetProcessHeap () returned 0xbc0000 [0051.033] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.033] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.053] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.053] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.053] GetProcessHeap () returned 0xbc0000 [0051.054] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.054] GetProcessHeap () returned 0xbc0000 [0051.054] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.054] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.054] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.074] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.074] GetProcessHeap () returned 0xbc0000 [0051.074] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.074] GetProcessHeap () returned 0xbc0000 [0051.074] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.075] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.082] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.083] GetProcessHeap () returned 0xbc0000 [0051.083] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.083] GetProcessHeap () returned 0xbc0000 [0051.083] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.083] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.090] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.090] GetProcessHeap () returned 0xbc0000 [0051.090] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.090] GetProcessHeap () returned 0xbc0000 [0051.090] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.091] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.126] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.126] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.127] GetProcessHeap () returned 0xbc0000 [0051.127] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.127] GetProcessHeap () returned 0xbc0000 [0051.127] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.127] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.127] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.143] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.143] GetProcessHeap () returned 0xbc0000 [0051.143] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.143] GetProcessHeap () returned 0xbc0000 [0051.143] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.143] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.183] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.184] GetProcessHeap () returned 0xbc0000 [0051.184] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.184] GetProcessHeap () returned 0xbc0000 [0051.184] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.184] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.194] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.194] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.194] GetProcessHeap () returned 0xbc0000 [0051.194] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.194] GetProcessHeap () returned 0xbc0000 [0051.195] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.195] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.195] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.210] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.210] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.210] GetProcessHeap () returned 0xbc0000 [0051.210] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.210] GetProcessHeap () returned 0xbc0000 [0051.210] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.210] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.210] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.218] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.218] GetProcessHeap () returned 0xbc0000 [0051.218] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.218] GetProcessHeap () returned 0xbc0000 [0051.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.218] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.243] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.243] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.244] GetProcessHeap () returned 0xbc0000 [0051.244] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.244] GetProcessHeap () returned 0xbc0000 [0051.244] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.244] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.244] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.251] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.252] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.252] GetProcessHeap () returned 0xbc0000 [0051.252] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.252] GetProcessHeap () returned 0xbc0000 [0051.252] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.252] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.252] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.266] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.267] GetProcessHeap () returned 0xbc0000 [0051.267] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.267] GetProcessHeap () returned 0xbc0000 [0051.267] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.267] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.267] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.276] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.277] GetProcessHeap () returned 0xbc0000 [0051.277] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.277] GetProcessHeap () returned 0xbc0000 [0051.277] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.277] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.277] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.306] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.306] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.306] GetProcessHeap () returned 0xbc0000 [0051.306] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.306] GetProcessHeap () returned 0xbc0000 [0051.306] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.306] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.306] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.314] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.314] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.314] GetProcessHeap () returned 0xbc0000 [0051.314] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.314] GetProcessHeap () returned 0xbc0000 [0051.314] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.314] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.314] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.341] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.343] GetProcessHeap () returned 0xbc0000 [0051.343] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.343] GetProcessHeap () returned 0xbc0000 [0051.343] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.343] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.354] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.355] GetProcessHeap () returned 0xbc0000 [0051.355] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.355] GetProcessHeap () returned 0xbc0000 [0051.355] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.355] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.394] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.394] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.395] GetProcessHeap () returned 0xbc0000 [0051.395] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.395] GetProcessHeap () returned 0xbc0000 [0051.395] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.395] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.395] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.402] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.402] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.403] GetProcessHeap () returned 0xbc0000 [0051.403] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.403] GetProcessHeap () returned 0xbc0000 [0051.403] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.403] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.439] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.440] GetProcessHeap () returned 0xbc0000 [0051.440] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.440] GetProcessHeap () returned 0xbc0000 [0051.440] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.440] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.440] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.447] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.448] GetProcessHeap () returned 0xbc0000 [0051.448] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.448] GetProcessHeap () returned 0xbc0000 [0051.448] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.448] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.458] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.458] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.460] GetProcessHeap () returned 0xbc0000 [0051.460] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.460] GetProcessHeap () returned 0xbc0000 [0051.460] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.460] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.460] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.467] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.467] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.468] GetProcessHeap () returned 0xbc0000 [0051.468] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.468] GetProcessHeap () returned 0xbc0000 [0051.468] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.468] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.468] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.475] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.475] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.476] GetProcessHeap () returned 0xbc0000 [0051.476] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.476] GetProcessHeap () returned 0xbc0000 [0051.476] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.476] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.497] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.497] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.497] GetProcessHeap () returned 0xbc0000 [0051.497] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.497] GetProcessHeap () returned 0xbc0000 [0051.498] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.498] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.498] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.516] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.516] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.516] GetProcessHeap () returned 0xbc0000 [0051.516] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.516] GetProcessHeap () returned 0xbc0000 [0051.516] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.516] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.516] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.535] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.535] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.546] GetProcessHeap () returned 0xbc0000 [0051.546] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.546] GetProcessHeap () returned 0xbc0000 [0051.546] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.546] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.546] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.558] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.558] GetProcessHeap () returned 0xbc0000 [0051.558] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.558] GetProcessHeap () returned 0xbc0000 [0051.558] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.558] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.576] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.576] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.577] GetProcessHeap () returned 0xbc0000 [0051.577] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.577] GetProcessHeap () returned 0xbc0000 [0051.577] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.577] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.577] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.627] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.627] GetProcessHeap () returned 0xbc0000 [0051.627] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.627] GetProcessHeap () returned 0xbc0000 [0051.627] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.627] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.637] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.638] GetProcessHeap () returned 0xbc0000 [0051.638] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.638] GetProcessHeap () returned 0xbc0000 [0051.638] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.638] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.638] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.646] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.646] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.647] GetProcessHeap () returned 0xbc0000 [0051.647] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.647] GetProcessHeap () returned 0xbc0000 [0051.647] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.647] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.647] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.737] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.743] GetProcessHeap () returned 0xbc0000 [0051.743] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.743] GetProcessHeap () returned 0xbc0000 [0051.743] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.744] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.751] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.751] GetProcessHeap () returned 0xbc0000 [0051.751] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.751] GetProcessHeap () returned 0xbc0000 [0051.751] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.751] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.751] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.760] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.760] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.760] GetProcessHeap () returned 0xbc0000 [0051.760] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.760] GetProcessHeap () returned 0xbc0000 [0051.760] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.760] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.760] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.768] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.768] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.768] GetProcessHeap () returned 0xbc0000 [0051.768] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.768] GetProcessHeap () returned 0xbc0000 [0051.768] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.768] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.768] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.793] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.793] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.794] GetProcessHeap () returned 0xbc0000 [0051.794] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.794] GetProcessHeap () returned 0xbc0000 [0051.794] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.794] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.794] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.814] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.814] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.815] GetProcessHeap () returned 0xbc0000 [0051.815] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.815] GetProcessHeap () returned 0xbc0000 [0051.815] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.815] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.815] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.823] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.823] GetProcessHeap () returned 0xbc0000 [0051.823] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.823] GetProcessHeap () returned 0xbc0000 [0051.823] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.823] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.894] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.895] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.895] GetProcessHeap () returned 0xbc0000 [0051.895] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.895] GetProcessHeap () returned 0xbc0000 [0051.895] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.895] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.895] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0051.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.979] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0051.980] GetProcessHeap () returned 0xbc0000 [0051.980] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0051.980] GetProcessHeap () returned 0xbc0000 [0051.980] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0051.980] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0051.980] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.026] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.026] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.027] GetProcessHeap () returned 0xbc0000 [0052.027] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.027] GetProcessHeap () returned 0xbc0000 [0052.027] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.027] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.027] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.034] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.034] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.035] GetProcessHeap () returned 0xbc0000 [0052.035] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.035] GetProcessHeap () returned 0xbc0000 [0052.035] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.035] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.035] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.042] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.042] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.043] GetProcessHeap () returned 0xbc0000 [0052.043] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.043] GetProcessHeap () returned 0xbc0000 [0052.043] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.043] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.043] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.050] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.050] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.051] GetProcessHeap () returned 0xbc0000 [0052.051] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.051] GetProcessHeap () returned 0xbc0000 [0052.051] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.051] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.078] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.078] GetProcessHeap () returned 0xbc0000 [0052.078] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.078] GetProcessHeap () returned 0xbc0000 [0052.078] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.079] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.086] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.086] GetProcessHeap () returned 0xbc0000 [0052.086] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.086] GetProcessHeap () returned 0xbc0000 [0052.086] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.087] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.094] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.094] GetProcessHeap () returned 0xbc0000 [0052.094] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.094] GetProcessHeap () returned 0xbc0000 [0052.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.094] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.102] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.102] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.102] GetProcessHeap () returned 0xbc0000 [0052.102] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.102] GetProcessHeap () returned 0xbc0000 [0052.102] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.102] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.102] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.119] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.119] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.119] GetProcessHeap () returned 0xbc0000 [0052.119] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.119] GetProcessHeap () returned 0xbc0000 [0052.119] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.119] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.119] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.126] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.126] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.127] GetProcessHeap () returned 0xbc0000 [0052.127] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.127] GetProcessHeap () returned 0xbc0000 [0052.127] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.127] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.127] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.134] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.134] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.135] GetProcessHeap () returned 0xbc0000 [0052.135] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.135] GetProcessHeap () returned 0xbc0000 [0052.135] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.135] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.135] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.143] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.143] GetProcessHeap () returned 0xbc0000 [0052.143] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.143] GetProcessHeap () returned 0xbc0000 [0052.143] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.143] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.198] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.199] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.200] GetProcessHeap () returned 0xbc0000 [0052.200] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.200] GetProcessHeap () returned 0xbc0000 [0052.200] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.200] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.207] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.207] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.207] GetProcessHeap () returned 0xbc0000 [0052.207] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.207] GetProcessHeap () returned 0xbc0000 [0052.207] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.208] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.208] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.218] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.218] GetProcessHeap () returned 0xbc0000 [0052.218] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.218] GetProcessHeap () returned 0xbc0000 [0052.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.218] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.226] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.226] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.226] GetProcessHeap () returned 0xbc0000 [0052.226] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.226] GetProcessHeap () returned 0xbc0000 [0052.226] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.226] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.226] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.248] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.248] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.249] GetProcessHeap () returned 0xbc0000 [0052.249] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.249] GetProcessHeap () returned 0xbc0000 [0052.249] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.249] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.249] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.256] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.257] GetProcessHeap () returned 0xbc0000 [0052.257] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.257] GetProcessHeap () returned 0xbc0000 [0052.257] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.257] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.257] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.264] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.264] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.265] GetProcessHeap () returned 0xbc0000 [0052.265] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.265] GetProcessHeap () returned 0xbc0000 [0052.265] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.265] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.272] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.273] GetProcessHeap () returned 0xbc0000 [0052.273] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.273] GetProcessHeap () returned 0xbc0000 [0052.273] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.274] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.274] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.335] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.336] GetProcessHeap () returned 0xbc0000 [0052.336] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.336] GetProcessHeap () returned 0xbc0000 [0052.336] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.336] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.336] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.343] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.344] GetProcessHeap () returned 0xbc0000 [0052.344] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.344] GetProcessHeap () returned 0xbc0000 [0052.344] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.344] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.344] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.351] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.351] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.352] GetProcessHeap () returned 0xbc0000 [0052.352] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.352] GetProcessHeap () returned 0xbc0000 [0052.352] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.352] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.359] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.359] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.360] GetProcessHeap () returned 0xbc0000 [0052.360] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.360] GetProcessHeap () returned 0xbc0000 [0052.360] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.360] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.360] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.367] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.367] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.368] GetProcessHeap () returned 0xbc0000 [0052.368] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.368] GetProcessHeap () returned 0xbc0000 [0052.368] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.368] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.397] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.397] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.397] GetProcessHeap () returned 0xbc0000 [0052.397] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.397] GetProcessHeap () returned 0xbc0000 [0052.397] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.397] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.398] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.405] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.405] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.405] GetProcessHeap () returned 0xbc0000 [0052.405] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.405] GetProcessHeap () returned 0xbc0000 [0052.405] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.405] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.405] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.413] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.413] GetProcessHeap () returned 0xbc0000 [0052.413] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.413] GetProcessHeap () returned 0xbc0000 [0052.413] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.413] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.421] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.421] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.421] GetProcessHeap () returned 0xbc0000 [0052.421] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.421] GetProcessHeap () returned 0xbc0000 [0052.421] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.421] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.421] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.452] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.452] GetProcessHeap () returned 0xbc0000 [0052.452] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.452] GetProcessHeap () returned 0xbc0000 [0052.452] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.452] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.453] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.460] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.460] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.461] GetProcessHeap () returned 0xbc0000 [0052.461] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.461] GetProcessHeap () returned 0xbc0000 [0052.461] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.461] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.461] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.468] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.468] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.468] GetProcessHeap () returned 0xbc0000 [0052.468] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.468] GetProcessHeap () returned 0xbc0000 [0052.468] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.469] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.469] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.478] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.478] GetProcessHeap () returned 0xbc0000 [0052.478] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.478] GetProcessHeap () returned 0xbc0000 [0052.478] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.478] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.495] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.496] GetProcessHeap () returned 0xbc0000 [0052.496] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.496] GetProcessHeap () returned 0xbc0000 [0052.496] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.496] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.496] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.503] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.503] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.503] GetProcessHeap () returned 0xbc0000 [0052.504] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.504] GetProcessHeap () returned 0xbc0000 [0052.504] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.504] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.504] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.511] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.511] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.511] GetProcessHeap () returned 0xbc0000 [0052.511] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.511] GetProcessHeap () returned 0xbc0000 [0052.511] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.511] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.511] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.519] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.519] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.519] GetProcessHeap () returned 0xbc0000 [0052.519] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.519] GetProcessHeap () returned 0xbc0000 [0052.532] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.532] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.575] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.575] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.577] GetProcessHeap () returned 0xbc0000 [0052.577] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.577] GetProcessHeap () returned 0xbc0000 [0052.577] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.577] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.577] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.586] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.586] GetProcessHeap () returned 0xbc0000 [0052.587] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.587] GetProcessHeap () returned 0xbc0000 [0052.587] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.587] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.594] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.594] GetProcessHeap () returned 0xbc0000 [0052.594] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.594] GetProcessHeap () returned 0xbc0000 [0052.594] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.594] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.605] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.605] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.605] GetProcessHeap () returned 0xbc0000 [0052.605] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.605] GetProcessHeap () returned 0xbc0000 [0052.605] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.605] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.605] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.642] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.644] GetProcessHeap () returned 0xbc0000 [0052.644] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.644] GetProcessHeap () returned 0xbc0000 [0052.644] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.644] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.651] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.651] GetProcessHeap () returned 0xbc0000 [0052.651] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.651] GetProcessHeap () returned 0xbc0000 [0052.651] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.651] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.659] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.659] GetProcessHeap () returned 0xbc0000 [0052.659] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.659] GetProcessHeap () returned 0xbc0000 [0052.659] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.659] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.671] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.671] GetProcessHeap () returned 0xbc0000 [0052.671] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.672] GetProcessHeap () returned 0xbc0000 [0052.672] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.672] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.672] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.703] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.703] GetProcessHeap () returned 0xbc0000 [0052.703] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.703] GetProcessHeap () returned 0xbc0000 [0052.703] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.703] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.737] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.738] GetProcessHeap () returned 0xbc0000 [0052.738] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.738] GetProcessHeap () returned 0xbc0000 [0052.738] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.738] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.738] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.748] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.748] GetProcessHeap () returned 0xbc0000 [0052.748] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.748] GetProcessHeap () returned 0xbc0000 [0052.749] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.749] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.749] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.756] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.756] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.757] GetProcessHeap () returned 0xbc0000 [0052.757] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.757] GetProcessHeap () returned 0xbc0000 [0052.757] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.757] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.757] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.773] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.773] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.774] GetProcessHeap () returned 0xbc0000 [0052.774] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.774] GetProcessHeap () returned 0xbc0000 [0052.774] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.774] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.774] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.795] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.796] GetProcessHeap () returned 0xbc0000 [0052.796] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.796] GetProcessHeap () returned 0xbc0000 [0052.796] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.796] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.804] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.804] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.804] GetProcessHeap () returned 0xbc0000 [0052.804] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.804] GetProcessHeap () returned 0xbc0000 [0052.804] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.804] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.804] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.811] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.812] GetProcessHeap () returned 0xbc0000 [0052.812] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.812] GetProcessHeap () returned 0xbc0000 [0052.812] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.812] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.812] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.825] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.826] GetProcessHeap () returned 0xbc0000 [0052.826] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.826] GetProcessHeap () returned 0xbc0000 [0052.826] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.826] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.826] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.842] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.842] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.842] GetProcessHeap () returned 0xbc0000 [0052.842] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.842] GetProcessHeap () returned 0xbc0000 [0052.842] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.842] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.842] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.850] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.850] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.850] GetProcessHeap () returned 0xbc0000 [0052.850] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.850] GetProcessHeap () returned 0xbc0000 [0052.850] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.850] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.850] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.858] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.858] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.858] GetProcessHeap () returned 0xbc0000 [0052.858] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.858] GetProcessHeap () returned 0xbc0000 [0052.858] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.858] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.858] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.878] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.878] GetProcessHeap () returned 0xbc0000 [0052.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.878] GetProcessHeap () returned 0xbc0000 [0052.878] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.878] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.901] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.902] GetProcessHeap () returned 0xbc0000 [0052.902] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.902] GetProcessHeap () returned 0xbc0000 [0052.902] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.902] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.902] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.909] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.909] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.910] GetProcessHeap () returned 0xbc0000 [0052.910] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.910] GetProcessHeap () returned 0xbc0000 [0052.910] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.910] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.910] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.917] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.917] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.918] GetProcessHeap () returned 0xbc0000 [0052.918] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.918] GetProcessHeap () returned 0xbc0000 [0052.918] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.918] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.918] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.957] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.958] GetProcessHeap () returned 0xbc0000 [0052.958] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.958] GetProcessHeap () returned 0xbc0000 [0052.958] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.958] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0052.996] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.996] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0052.998] GetProcessHeap () returned 0xbc0000 [0052.998] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0052.998] GetProcessHeap () returned 0xbc0000 [0052.998] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0052.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0052.998] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.005] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.005] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.005] GetProcessHeap () returned 0xbc0000 [0053.005] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.005] GetProcessHeap () returned 0xbc0000 [0053.005] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.006] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.006] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.012] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.013] GetProcessHeap () returned 0xbc0000 [0053.013] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.013] GetProcessHeap () returned 0xbc0000 [0053.013] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.013] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.043] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.043] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.044] GetProcessHeap () returned 0xbc0000 [0053.044] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.044] GetProcessHeap () returned 0xbc0000 [0053.044] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.044] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.044] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.052] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.052] GetProcessHeap () returned 0xbc0000 [0053.052] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.052] GetProcessHeap () returned 0xbc0000 [0053.052] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.052] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.212] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.212] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.213] GetProcessHeap () returned 0xbc0000 [0053.213] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.213] GetProcessHeap () returned 0xbc0000 [0053.213] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.213] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.220] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.220] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.220] GetProcessHeap () returned 0xbc0000 [0053.221] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.221] GetProcessHeap () returned 0xbc0000 [0053.221] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.221] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.221] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.234] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.234] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.235] GetProcessHeap () returned 0xbc0000 [0053.235] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.235] GetProcessHeap () returned 0xbc0000 [0053.235] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.235] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.235] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.242] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.242] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.243] GetProcessHeap () returned 0xbc0000 [0053.243] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.243] GetProcessHeap () returned 0xbc0000 [0053.243] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.243] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.243] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.280] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.281] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.281] GetProcessHeap () returned 0xbc0000 [0053.281] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.281] GetProcessHeap () returned 0xbc0000 [0053.281] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.281] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.281] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.288] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.289] GetProcessHeap () returned 0xbc0000 [0053.289] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.289] GetProcessHeap () returned 0xbc0000 [0053.289] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.289] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.289] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.299] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.299] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.300] GetProcessHeap () returned 0xbc0000 [0053.300] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.300] GetProcessHeap () returned 0xbc0000 [0053.300] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.300] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.300] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.307] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.307] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.308] GetProcessHeap () returned 0xbc0000 [0053.308] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.308] GetProcessHeap () returned 0xbc0000 [0053.308] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.308] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.308] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.353] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.353] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.354] GetProcessHeap () returned 0xbc0000 [0053.354] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.354] GetProcessHeap () returned 0xbc0000 [0053.354] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.354] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.354] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.361] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.361] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.362] GetProcessHeap () returned 0xbc0000 [0053.362] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.362] GetProcessHeap () returned 0xbc0000 [0053.362] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.362] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.377] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.377] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.377] GetProcessHeap () returned 0xbc0000 [0053.377] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.377] GetProcessHeap () returned 0xbc0000 [0053.377] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.377] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.378] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.388] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.388] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.388] GetProcessHeap () returned 0xbc0000 [0053.388] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.388] GetProcessHeap () returned 0xbc0000 [0053.388] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.388] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.388] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.456] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.458] GetProcessHeap () returned 0xbc0000 [0053.458] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.458] GetProcessHeap () returned 0xbc0000 [0053.458] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.458] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.458] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.465] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.465] GetProcessHeap () returned 0xbc0000 [0053.465] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.465] GetProcessHeap () returned 0xbc0000 [0053.465] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.466] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.490] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.490] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.491] GetProcessHeap () returned 0xbc0000 [0053.491] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.491] GetProcessHeap () returned 0xbc0000 [0053.491] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.491] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.491] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.498] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.498] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.498] GetProcessHeap () returned 0xbc0000 [0053.498] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.498] GetProcessHeap () returned 0xbc0000 [0053.498] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.498] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.499] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.528] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.528] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.529] GetProcessHeap () returned 0xbc0000 [0053.529] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.529] GetProcessHeap () returned 0xbc0000 [0053.529] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.529] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.529] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.537] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.537] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.537] GetProcessHeap () returned 0xbc0000 [0053.537] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.537] GetProcessHeap () returned 0xbc0000 [0053.537] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.537] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.538] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.548] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.548] GetProcessHeap () returned 0xbc0000 [0053.548] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.548] GetProcessHeap () returned 0xbc0000 [0053.548] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.548] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.555] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.555] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.556] GetProcessHeap () returned 0xbc0000 [0053.556] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.556] GetProcessHeap () returned 0xbc0000 [0053.556] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.556] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.556] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.564] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.564] GetProcessHeap () returned 0xbc0000 [0053.564] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.564] GetProcessHeap () returned 0xbc0000 [0053.564] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.564] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.661] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.661] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.662] GetProcessHeap () returned 0xbc0000 [0053.662] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.662] GetProcessHeap () returned 0xbc0000 [0053.662] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.662] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.662] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.669] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.669] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.669] GetProcessHeap () returned 0xbc0000 [0053.669] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.669] GetProcessHeap () returned 0xbc0000 [0053.670] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.670] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.670] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.678] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.678] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.678] GetProcessHeap () returned 0xbc0000 [0053.678] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.678] GetProcessHeap () returned 0xbc0000 [0053.678] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.678] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.678] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.685] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.685] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.686] GetProcessHeap () returned 0xbc0000 [0053.686] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.686] GetProcessHeap () returned 0xbc0000 [0053.686] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.686] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.686] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.700] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.700] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.700] GetProcessHeap () returned 0xbc0000 [0053.700] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.700] GetProcessHeap () returned 0xbc0000 [0053.701] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.701] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.701] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.713] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.714] GetProcessHeap () returned 0xbc0000 [0053.714] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.714] GetProcessHeap () returned 0xbc0000 [0053.714] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.714] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.714] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.721] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.722] GetProcessHeap () returned 0xbc0000 [0053.722] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.722] GetProcessHeap () returned 0xbc0000 [0053.722] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.722] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.722] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.729] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.729] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.729] GetProcessHeap () returned 0xbc0000 [0053.730] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.730] GetProcessHeap () returned 0xbc0000 [0053.730] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.730] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.730] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.743] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.743] GetProcessHeap () returned 0xbc0000 [0053.744] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.744] GetProcessHeap () returned 0xbc0000 [0053.744] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.744] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.754] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.754] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.754] GetProcessHeap () returned 0xbc0000 [0053.754] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.754] GetProcessHeap () returned 0xbc0000 [0053.754] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.754] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.754] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.761] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.761] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.762] GetProcessHeap () returned 0xbc0000 [0053.762] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.762] GetProcessHeap () returned 0xbc0000 [0053.762] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.762] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.762] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.769] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.769] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.770] GetProcessHeap () returned 0xbc0000 [0053.770] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.770] GetProcessHeap () returned 0xbc0000 [0053.770] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.770] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.770] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.790] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.790] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.791] GetProcessHeap () returned 0xbc0000 [0053.791] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.791] GetProcessHeap () returned 0xbc0000 [0053.791] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.791] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.791] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.831] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.831] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.831] GetProcessHeap () returned 0xbc0000 [0053.831] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.831] GetProcessHeap () returned 0xbc0000 [0053.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.831] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.831] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.838] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.838] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.839] GetProcessHeap () returned 0xbc0000 [0053.839] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.839] GetProcessHeap () returned 0xbc0000 [0053.839] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.839] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.848] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.848] GetProcessHeap () returned 0xbc0000 [0053.848] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.848] GetProcessHeap () returned 0xbc0000 [0053.848] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.848] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.848] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0053.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.885] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0053.886] GetProcessHeap () returned 0xbc0000 [0053.886] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0053.886] GetProcessHeap () returned 0xbc0000 [0053.886] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0053.886] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0053.886] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.075] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.075] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.076] GetProcessHeap () returned 0xbc0000 [0054.076] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.076] GetProcessHeap () returned 0xbc0000 [0054.076] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.076] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.084] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.084] GetProcessHeap () returned 0xbc0000 [0054.084] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.084] GetProcessHeap () returned 0xbc0000 [0054.084] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.084] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.084] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.091] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.091] GetProcessHeap () returned 0xbc0000 [0054.091] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.091] GetProcessHeap () returned 0xbc0000 [0054.091] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.091] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.098] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.099] GetProcessHeap () returned 0xbc0000 [0054.099] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.099] GetProcessHeap () returned 0xbc0000 [0054.099] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.099] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.131] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.132] GetProcessHeap () returned 0xbc0000 [0054.132] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.132] GetProcessHeap () returned 0xbc0000 [0054.132] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.132] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.132] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.139] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.140] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.140] GetProcessHeap () returned 0xbc0000 [0054.140] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.140] GetProcessHeap () returned 0xbc0000 [0054.140] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.140] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.140] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.223] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.223] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.223] GetProcessHeap () returned 0xbc0000 [0054.223] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.223] GetProcessHeap () returned 0xbc0000 [0054.223] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.223] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.223] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.231] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.231] GetProcessHeap () returned 0xbc0000 [0054.231] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.231] GetProcessHeap () returned 0xbc0000 [0054.231] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.231] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.231] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.256] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.256] GetProcessHeap () returned 0xbc0000 [0054.256] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.256] GetProcessHeap () returned 0xbc0000 [0054.256] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.257] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.257] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.264] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.265] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.266] GetProcessHeap () returned 0xbc0000 [0054.266] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.266] GetProcessHeap () returned 0xbc0000 [0054.266] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.266] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.273] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.273] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.273] GetProcessHeap () returned 0xbc0000 [0054.273] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.273] GetProcessHeap () returned 0xbc0000 [0054.273] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.273] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.273] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.283] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.283] GetProcessHeap () returned 0xbc0000 [0054.283] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.283] GetProcessHeap () returned 0xbc0000 [0054.283] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.283] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.372] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.372] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.372] GetProcessHeap () returned 0xbc0000 [0054.372] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.372] GetProcessHeap () returned 0xbc0000 [0054.372] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.372] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.372] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.379] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.380] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.380] GetProcessHeap () returned 0xbc0000 [0054.380] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.380] GetProcessHeap () returned 0xbc0000 [0054.380] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.380] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.380] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.387] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.388] GetProcessHeap () returned 0xbc0000 [0054.388] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.388] GetProcessHeap () returned 0xbc0000 [0054.388] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.388] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.388] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.396] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.396] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.396] GetProcessHeap () returned 0xbc0000 [0054.396] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.396] GetProcessHeap () returned 0xbc0000 [0054.396] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.396] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.396] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.414] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.415] GetProcessHeap () returned 0xbc0000 [0054.415] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.416] GetProcessHeap () returned 0xbc0000 [0054.416] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.416] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.416] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.536] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.536] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.537] GetProcessHeap () returned 0xbc0000 [0054.537] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.537] GetProcessHeap () returned 0xbc0000 [0054.537] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.537] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.537] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.544] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.545] GetProcessHeap () returned 0xbc0000 [0054.545] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.545] GetProcessHeap () returned 0xbc0000 [0054.545] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.545] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.545] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.552] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.552] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.552] GetProcessHeap () returned 0xbc0000 [0054.552] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.552] GetProcessHeap () returned 0xbc0000 [0054.552] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.553] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.553] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.587] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.588] GetProcessHeap () returned 0xbc0000 [0054.588] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.588] GetProcessHeap () returned 0xbc0000 [0054.588] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.588] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.607] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.607] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.608] GetProcessHeap () returned 0xbc0000 [0054.608] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.608] GetProcessHeap () returned 0xbc0000 [0054.608] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.608] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.608] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.616] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.617] GetProcessHeap () returned 0xbc0000 [0054.617] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.617] GetProcessHeap () returned 0xbc0000 [0054.617] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.617] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.617] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.624] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.624] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.625] GetProcessHeap () returned 0xbc0000 [0054.625] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.625] GetProcessHeap () returned 0xbc0000 [0054.625] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.625] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.625] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.683] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.686] GetProcessHeap () returned 0xbc0000 [0054.686] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.686] GetProcessHeap () returned 0xbc0000 [0054.686] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.686] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.686] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.693] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.693] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.694] GetProcessHeap () returned 0xbc0000 [0054.694] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.694] GetProcessHeap () returned 0xbc0000 [0054.694] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.694] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.694] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.701] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.701] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.702] GetProcessHeap () returned 0xbc0000 [0054.702] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.702] GetProcessHeap () returned 0xbc0000 [0054.702] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.702] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.709] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.709] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.709] GetProcessHeap () returned 0xbc0000 [0054.709] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.709] GetProcessHeap () returned 0xbc0000 [0054.709] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.709] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.709] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.717] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.717] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.717] GetProcessHeap () returned 0xbc0000 [0054.717] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.717] GetProcessHeap () returned 0xbc0000 [0054.717] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.717] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.717] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.737] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.737] GetProcessHeap () returned 0xbc0000 [0054.737] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.737] GetProcessHeap () returned 0xbc0000 [0054.737] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.737] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.737] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.745] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.745] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.745] GetProcessHeap () returned 0xbc0000 [0054.745] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.745] GetProcessHeap () returned 0xbc0000 [0054.745] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.745] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.745] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.755] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.755] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.755] GetProcessHeap () returned 0xbc0000 [0054.755] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.755] GetProcessHeap () returned 0xbc0000 [0054.755] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.756] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.756] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.763] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.764] GetProcessHeap () returned 0xbc0000 [0054.764] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.764] GetProcessHeap () returned 0xbc0000 [0054.764] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.764] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.764] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.784] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.784] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.785] GetProcessHeap () returned 0xbc0000 [0054.785] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.785] GetProcessHeap () returned 0xbc0000 [0054.785] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.785] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.785] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.794] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.794] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.795] GetProcessHeap () returned 0xbc0000 [0054.795] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.795] GetProcessHeap () returned 0xbc0000 [0054.795] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.795] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.802] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.802] GetProcessHeap () returned 0xbc0000 [0054.802] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.802] GetProcessHeap () returned 0xbc0000 [0054.802] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.802] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.810] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.810] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.810] GetProcessHeap () returned 0xbc0000 [0054.810] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.810] GetProcessHeap () returned 0xbc0000 [0054.810] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.810] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.810] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.897] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.897] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.905] GetProcessHeap () returned 0xbc0000 [0054.905] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.905] GetProcessHeap () returned 0xbc0000 [0054.905] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.905] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.905] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.912] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.913] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.913] GetProcessHeap () returned 0xbc0000 [0054.913] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.913] GetProcessHeap () returned 0xbc0000 [0054.913] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.913] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.913] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.921] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.921] GetProcessHeap () returned 0xbc0000 [0054.921] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.921] GetProcessHeap () returned 0xbc0000 [0054.921] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.921] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.929] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.929] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.929] GetProcessHeap () returned 0xbc0000 [0054.929] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.929] GetProcessHeap () returned 0xbc0000 [0054.929] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.929] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.929] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.968] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.968] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.969] GetProcessHeap () returned 0xbc0000 [0054.969] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.969] GetProcessHeap () returned 0xbc0000 [0054.969] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.969] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.977] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.977] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.978] GetProcessHeap () returned 0xbc0000 [0054.978] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.978] GetProcessHeap () returned 0xbc0000 [0054.978] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.978] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.978] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.990] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0054.991] GetProcessHeap () returned 0xbc0000 [0054.991] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0054.991] GetProcessHeap () returned 0xbc0000 [0054.991] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0054.991] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.991] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0054.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0054.999] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.000] GetProcessHeap () returned 0xbc0000 [0055.000] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.000] GetProcessHeap () returned 0xbc0000 [0055.000] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.000] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.014] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.014] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.015] GetProcessHeap () returned 0xbc0000 [0055.015] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.015] GetProcessHeap () returned 0xbc0000 [0055.015] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.015] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.015] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.027] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.027] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.028] GetProcessHeap () returned 0xbc0000 [0055.028] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.028] GetProcessHeap () returned 0xbc0000 [0055.028] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.028] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.028] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.035] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.035] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.035] GetProcessHeap () returned 0xbc0000 [0055.035] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.035] GetProcessHeap () returned 0xbc0000 [0055.035] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.035] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.035] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.042] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.042] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.043] GetProcessHeap () returned 0xbc0000 [0055.043] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.043] GetProcessHeap () returned 0xbc0000 [0055.043] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.044] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.044] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.051] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.051] GetProcessHeap () returned 0xbc0000 [0055.051] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.051] GetProcessHeap () returned 0xbc0000 [0055.051] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.052] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.076] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.076] GetProcessHeap () returned 0xbc0000 [0055.076] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.076] GetProcessHeap () returned 0xbc0000 [0055.076] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.076] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.083] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.083] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.084] GetProcessHeap () returned 0xbc0000 [0055.084] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.084] GetProcessHeap () returned 0xbc0000 [0055.084] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.084] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.084] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.108] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.112] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.124] GetProcessHeap () returned 0xbc0000 [0055.124] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.125] GetProcessHeap () returned 0xbc0000 [0055.125] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.137] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.137] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.144] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.144] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.144] GetProcessHeap () returned 0xbc0000 [0055.144] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.144] GetProcessHeap () returned 0xbc0000 [0055.144] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.144] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.144] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.165] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.166] GetProcessHeap () returned 0xbc0000 [0055.166] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.166] GetProcessHeap () returned 0xbc0000 [0055.166] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.166] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.179] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.180] GetProcessHeap () returned 0xbc0000 [0055.180] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.180] GetProcessHeap () returned 0xbc0000 [0055.180] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.180] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.180] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.210] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.210] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.210] GetProcessHeap () returned 0xbc0000 [0055.210] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.210] GetProcessHeap () returned 0xbc0000 [0055.210] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.210] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.210] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.218] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.218] GetProcessHeap () returned 0xbc0000 [0055.218] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.218] GetProcessHeap () returned 0xbc0000 [0055.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.218] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.254] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.254] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.324] GetProcessHeap () returned 0xbc0000 [0055.324] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.324] GetProcessHeap () returned 0xbc0000 [0055.324] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.324] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.343] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.344] GetProcessHeap () returned 0xbc0000 [0055.344] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.344] GetProcessHeap () returned 0xbc0000 [0055.344] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.344] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.344] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.351] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.351] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.352] GetProcessHeap () returned 0xbc0000 [0055.352] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.352] GetProcessHeap () returned 0xbc0000 [0055.352] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.352] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.358] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.358] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.358] GetProcessHeap () returned 0xbc0000 [0055.358] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.358] GetProcessHeap () returned 0xbc0000 [0055.358] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.358] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.358] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.413] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.413] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.414] GetProcessHeap () returned 0xbc0000 [0055.414] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.414] GetProcessHeap () returned 0xbc0000 [0055.414] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.414] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.455] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.455] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.455] GetProcessHeap () returned 0xbc0000 [0055.455] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.456] GetProcessHeap () returned 0xbc0000 [0055.456] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.456] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.578] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.578] GetProcessHeap () returned 0xbc0000 [0055.578] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.578] GetProcessHeap () returned 0xbc0000 [0055.578] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.579] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.586] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.586] GetProcessHeap () returned 0xbc0000 [0055.586] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.587] GetProcessHeap () returned 0xbc0000 [0055.587] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.587] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.602] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.603] GetProcessHeap () returned 0xbc0000 [0055.603] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.603] GetProcessHeap () returned 0xbc0000 [0055.603] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.603] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.610] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.610] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.610] GetProcessHeap () returned 0xbc0000 [0055.610] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.610] GetProcessHeap () returned 0xbc0000 [0055.610] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.610] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.610] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.635] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.635] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.635] GetProcessHeap () returned 0xbc0000 [0055.635] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.635] GetProcessHeap () returned 0xbc0000 [0055.636] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.636] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.636] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.643] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.643] GetProcessHeap () returned 0xbc0000 [0055.643] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.643] GetProcessHeap () returned 0xbc0000 [0055.643] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.643] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.651] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.651] GetProcessHeap () returned 0xbc0000 [0055.651] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.651] GetProcessHeap () returned 0xbc0000 [0055.651] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.651] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.713] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.714] GetProcessHeap () returned 0xbc0000 [0055.714] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.714] GetProcessHeap () returned 0xbc0000 [0055.714] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.714] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.714] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.723] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.723] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.724] GetProcessHeap () returned 0xbc0000 [0055.724] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.724] GetProcessHeap () returned 0xbc0000 [0055.724] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.724] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.724] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.731] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.731] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.732] GetProcessHeap () returned 0xbc0000 [0055.732] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.732] GetProcessHeap () returned 0xbc0000 [0055.732] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.732] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.732] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.739] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.739] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.739] GetProcessHeap () returned 0xbc0000 [0055.739] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.739] GetProcessHeap () returned 0xbc0000 [0055.739] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.739] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.740] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0055.829] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.829] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0055.829] GetProcessHeap () returned 0xbc0000 [0055.829] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0055.829] GetProcessHeap () returned 0xbc0000 [0055.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0055.830] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0055.830] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.044] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.044] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.044] GetProcessHeap () returned 0xbc0000 [0056.044] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.044] GetProcessHeap () returned 0xbc0000 [0056.044] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.044] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.044] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.050] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.050] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.051] GetProcessHeap () returned 0xbc0000 [0056.051] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.051] GetProcessHeap () returned 0xbc0000 [0056.051] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.051] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.060] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.060] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.061] GetProcessHeap () returned 0xbc0000 [0056.061] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.061] GetProcessHeap () returned 0xbc0000 [0056.061] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.061] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.061] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.074] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.081] GetProcessHeap () returned 0xbc0000 [0056.081] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.081] GetProcessHeap () returned 0xbc0000 [0056.081] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.081] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.088] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.088] GetProcessHeap () returned 0xbc0000 [0056.088] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.088] GetProcessHeap () returned 0xbc0000 [0056.088] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.088] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.096] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.096] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.096] GetProcessHeap () returned 0xbc0000 [0056.096] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.096] GetProcessHeap () returned 0xbc0000 [0056.096] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.096] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.096] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.103] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.104] GetProcessHeap () returned 0xbc0000 [0056.104] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.104] GetProcessHeap () returned 0xbc0000 [0056.104] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.104] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.104] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.142] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.142] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.143] GetProcessHeap () returned 0xbc0000 [0056.143] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.143] GetProcessHeap () returned 0xbc0000 [0056.143] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.143] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.143] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.175] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.175] GetProcessHeap () returned 0xbc0000 [0056.175] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.175] GetProcessHeap () returned 0xbc0000 [0056.175] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.175] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.182] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.183] GetProcessHeap () returned 0xbc0000 [0056.183] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.183] GetProcessHeap () returned 0xbc0000 [0056.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.183] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.218] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.218] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.218] GetProcessHeap () returned 0xbc0000 [0056.218] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.218] GetProcessHeap () returned 0xbc0000 [0056.219] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.219] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.219] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.239] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.239] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.240] GetProcessHeap () returned 0xbc0000 [0056.240] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.240] GetProcessHeap () returned 0xbc0000 [0056.240] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.240] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.240] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.312] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.312] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.313] GetProcessHeap () returned 0xbc0000 [0056.313] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.313] GetProcessHeap () returned 0xbc0000 [0056.313] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.313] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.313] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.320] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.320] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.320] GetProcessHeap () returned 0xbc0000 [0056.320] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.320] GetProcessHeap () returned 0xbc0000 [0056.321] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.321] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.321] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.341] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.341] GetProcessHeap () returned 0xbc0000 [0056.341] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.341] GetProcessHeap () returned 0xbc0000 [0056.341] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.341] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.350] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.350] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.351] GetProcessHeap () returned 0xbc0000 [0056.351] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.351] GetProcessHeap () returned 0xbc0000 [0056.351] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.351] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.351] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.390] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.390] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.390] GetProcessHeap () returned 0xbc0000 [0056.390] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.390] GetProcessHeap () returned 0xbc0000 [0056.390] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.390] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.390] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.397] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.397] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.398] GetProcessHeap () returned 0xbc0000 [0056.398] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.398] GetProcessHeap () returned 0xbc0000 [0056.398] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.398] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.398] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.404] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.404] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.405] GetProcessHeap () returned 0xbc0000 [0056.405] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.405] GetProcessHeap () returned 0xbc0000 [0056.405] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.405] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.405] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.447] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.447] GetProcessHeap () returned 0xbc0000 [0056.447] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.447] GetProcessHeap () returned 0xbc0000 [0056.447] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.448] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.494] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.494] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.495] GetProcessHeap () returned 0xbc0000 [0056.495] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.495] GetProcessHeap () returned 0xbc0000 [0056.495] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.495] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.502] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.502] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.502] GetProcessHeap () returned 0xbc0000 [0056.502] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.502] GetProcessHeap () returned 0xbc0000 [0056.502] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.502] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.502] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.509] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.509] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.510] GetProcessHeap () returned 0xbc0000 [0056.510] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.510] GetProcessHeap () returned 0xbc0000 [0056.510] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.510] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.510] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.524] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.524] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.524] GetProcessHeap () returned 0xbc0000 [0056.524] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.524] GetProcessHeap () returned 0xbc0000 [0056.524] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.524] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.524] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.734] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.735] GetProcessHeap () returned 0xbc0000 [0056.735] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.735] GetProcessHeap () returned 0xbc0000 [0056.735] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.735] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.742] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.743] GetProcessHeap () returned 0xbc0000 [0056.743] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.743] GetProcessHeap () returned 0xbc0000 [0056.743] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.743] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.750] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.751] GetProcessHeap () returned 0xbc0000 [0056.751] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.751] GetProcessHeap () returned 0xbc0000 [0056.751] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.751] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.751] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.772] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.772] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.773] GetProcessHeap () returned 0xbc0000 [0056.773] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.773] GetProcessHeap () returned 0xbc0000 [0056.773] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.773] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.773] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.816] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.816] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.817] GetProcessHeap () returned 0xbc0000 [0056.817] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.817] GetProcessHeap () returned 0xbc0000 [0056.817] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.817] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.817] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.824] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.825] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.825] GetProcessHeap () returned 0xbc0000 [0056.825] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.825] GetProcessHeap () returned 0xbc0000 [0056.825] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.825] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.832] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.833] GetProcessHeap () returned 0xbc0000 [0056.833] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.833] GetProcessHeap () returned 0xbc0000 [0056.833] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.833] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.842] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.843] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.843] GetProcessHeap () returned 0xbc0000 [0056.843] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.843] GetProcessHeap () returned 0xbc0000 [0056.843] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.843] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.843] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.862] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.862] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.863] GetProcessHeap () returned 0xbc0000 [0056.863] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.863] GetProcessHeap () returned 0xbc0000 [0056.863] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.863] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.864] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.871] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.871] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.871] GetProcessHeap () returned 0xbc0000 [0056.871] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.871] GetProcessHeap () returned 0xbc0000 [0056.871] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.871] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.871] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.878] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.878] GetProcessHeap () returned 0xbc0000 [0056.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.878] GetProcessHeap () returned 0xbc0000 [0056.878] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.878] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.888] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.889] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.889] GetProcessHeap () returned 0xbc0000 [0056.889] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.889] GetProcessHeap () returned 0xbc0000 [0056.889] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.889] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.889] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.896] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.896] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.896] GetProcessHeap () returned 0xbc0000 [0056.897] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.897] GetProcessHeap () returned 0xbc0000 [0056.897] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.897] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.897] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.914] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.914] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.915] GetProcessHeap () returned 0xbc0000 [0056.915] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.915] GetProcessHeap () returned 0xbc0000 [0056.915] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.915] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.922] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.922] GetProcessHeap () returned 0xbc0000 [0056.922] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.922] GetProcessHeap () returned 0xbc0000 [0056.922] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.922] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.922] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.961] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.961] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.961] GetProcessHeap () returned 0xbc0000 [0056.961] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.961] GetProcessHeap () returned 0xbc0000 [0056.961] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.961] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.961] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.969] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.969] GetProcessHeap () returned 0xbc0000 [0056.969] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.969] GetProcessHeap () returned 0xbc0000 [0056.969] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.969] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.969] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.982] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.982] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.983] GetProcessHeap () returned 0xbc0000 [0056.983] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.983] GetProcessHeap () returned 0xbc0000 [0056.983] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.983] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0056.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.990] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0056.990] GetProcessHeap () returned 0xbc0000 [0056.990] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0056.990] GetProcessHeap () returned 0xbc0000 [0056.990] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0056.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0056.990] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.001] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.002] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.002] GetProcessHeap () returned 0xbc0000 [0057.002] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.002] GetProcessHeap () returned 0xbc0000 [0057.002] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.002] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.002] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.009] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.009] GetProcessHeap () returned 0xbc0000 [0057.010] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.010] GetProcessHeap () returned 0xbc0000 [0057.010] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.010] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.025] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.025] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.025] GetProcessHeap () returned 0xbc0000 [0057.025] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.025] GetProcessHeap () returned 0xbc0000 [0057.025] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.025] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.025] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.032] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.033] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.033] GetProcessHeap () returned 0xbc0000 [0057.033] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.033] GetProcessHeap () returned 0xbc0000 [0057.033] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.033] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.040] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.040] GetProcessHeap () returned 0xbc0000 [0057.040] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.040] GetProcessHeap () returned 0xbc0000 [0057.040] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.041] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.051] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.052] GetProcessHeap () returned 0xbc0000 [0057.052] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.052] GetProcessHeap () returned 0xbc0000 [0057.052] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.052] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.088] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.090] GetProcessHeap () returned 0xbc0000 [0057.090] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.090] GetProcessHeap () returned 0xbc0000 [0057.090] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.090] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.099] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.099] GetProcessHeap () returned 0xbc0000 [0057.099] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.099] GetProcessHeap () returned 0xbc0000 [0057.099] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.099] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.106] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.106] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.107] GetProcessHeap () returned 0xbc0000 [0057.107] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.107] GetProcessHeap () returned 0xbc0000 [0057.107] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.107] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.107] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.118] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ead9a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.118] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.119] GetProcessHeap () returned 0xbc0000 [0057.119] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.119] GetProcessHeap () returned 0xbc0000 [0057.119] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.119] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.119] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.136] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4eeaa30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.136] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.138] GetProcessHeap () returned 0xbc0000 [0057.138] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.138] GetProcessHeap () returned 0xbc0000 [0057.138] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.138] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.138] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.145] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f27ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.145] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.146] GetProcessHeap () returned 0xbc0000 [0057.146] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.146] GetProcessHeap () returned 0xbc0000 [0057.146] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.146] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.146] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f64b50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.154] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.154] GetProcessHeap () returned 0xbc0000 [0057.154] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.154] GetProcessHeap () returned 0xbc0000 [0057.154] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.154] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.162] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fa1be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.162] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.163] GetProcessHeap () returned 0xbc0000 [0057.163] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.163] GetProcessHeap () returned 0xbc0000 [0057.163] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.163] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.163] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4fdec70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.171] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.171] GetProcessHeap () returned 0xbc0000 [0057.171] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.171] GetProcessHeap () returned 0xbc0000 [0057.171] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.171] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x501bd00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.266] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.266] GetProcessHeap () returned 0xbc0000 [0057.266] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.266] GetProcessHeap () returned 0xbc0000 [0057.266] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.266] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.274] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5058d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.274] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.274] GetProcessHeap () returned 0xbc0000 [0057.274] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.274] GetProcessHeap () returned 0xbc0000 [0057.274] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.274] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.274] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.341] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5095e20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.341] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.342] GetProcessHeap () returned 0xbc0000 [0057.342] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.342] GetProcessHeap () returned 0xbc0000 [0057.342] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.342] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.342] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.347] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x50d2eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.347] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.348] GetProcessHeap () returned 0xbc0000 [0057.348] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.348] GetProcessHeap () returned 0xbc0000 [0057.348] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.348] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.348] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x510ff40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.362] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.362] GetProcessHeap () returned 0xbc0000 [0057.362] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.362] GetProcessHeap () returned 0xbc0000 [0057.362] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.362] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x514cfd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.370] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.370] GetProcessHeap () returned 0xbc0000 [0057.370] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.370] GetProcessHeap () returned 0xbc0000 [0057.370] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.370] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.370] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.389] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x518a060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.389] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.390] GetProcessHeap () returned 0xbc0000 [0057.390] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.390] GetProcessHeap () returned 0xbc0000 [0057.390] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.390] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.390] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.395] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x51c70f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.396] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.396] GetProcessHeap () returned 0xbc0000 [0057.396] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.396] GetProcessHeap () returned 0xbc0000 [0057.396] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.396] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.396] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.409] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5204180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.409] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.410] GetProcessHeap () returned 0xbc0000 [0057.410] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.410] GetProcessHeap () returned 0xbc0000 [0057.410] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.410] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.410] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.417] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5241210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.417] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.418] GetProcessHeap () returned 0xbc0000 [0057.418] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.418] GetProcessHeap () returned 0xbc0000 [0057.418] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.418] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.453] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x527e2a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.454] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.454] GetProcessHeap () returned 0xbc0000 [0057.454] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.454] GetProcessHeap () returned 0xbc0000 [0057.454] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.454] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.454] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.461] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52bb330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.461] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.462] GetProcessHeap () returned 0xbc0000 [0057.462] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.462] GetProcessHeap () returned 0xbc0000 [0057.462] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.462] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.462] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.565] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x52f83c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.565] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.566] GetProcessHeap () returned 0xbc0000 [0057.566] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.566] GetProcessHeap () returned 0xbc0000 [0057.566] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.566] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.566] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.573] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5335450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.574] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.574] GetProcessHeap () returned 0xbc0000 [0057.620] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.620] GetProcessHeap () returned 0xbc0000 [0057.621] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.621] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.621] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.633] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53724e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.633] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.634] GetProcessHeap () returned 0xbc0000 [0057.634] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.634] GetProcessHeap () returned 0xbc0000 [0057.634] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.634] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53af570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.643] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.644] GetProcessHeap () returned 0xbc0000 [0057.644] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.644] GetProcessHeap () returned 0xbc0000 [0057.644] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.644] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.644] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x53ec600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.682] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.683] GetProcessHeap () returned 0xbc0000 [0057.683] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.683] GetProcessHeap () returned 0xbc0000 [0057.683] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.683] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.683] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.691] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5429690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.691] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.691] GetProcessHeap () returned 0xbc0000 [0057.691] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.691] GetProcessHeap () returned 0xbc0000 [0057.691] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.691] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.691] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5466720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.779] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.780] GetProcessHeap () returned 0xbc0000 [0057.780] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.780] GetProcessHeap () returned 0xbc0000 [0057.780] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.780] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.780] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.786] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54a37b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.786] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.787] GetProcessHeap () returned 0xbc0000 [0057.787] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.787] GetProcessHeap () returned 0xbc0000 [0057.787] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.787] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.787] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.794] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x54e0840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.794] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.795] GetProcessHeap () returned 0xbc0000 [0057.795] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.795] GetProcessHeap () returned 0xbc0000 [0057.795] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.795] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x551d8d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.869] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.870] GetProcessHeap () returned 0xbc0000 [0057.870] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.870] GetProcessHeap () returned 0xbc0000 [0057.870] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.870] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.870] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.966] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x555a960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.966] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.966] GetProcessHeap () returned 0xbc0000 [0057.966] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.966] GetProcessHeap () returned 0xbc0000 [0057.967] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.967] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.974] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55979f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.974] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.974] GetProcessHeap () returned 0xbc0000 [0057.974] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.974] GetProcessHeap () returned 0xbc0000 [0057.974] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.974] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.974] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0057.982] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x55d4a80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.982] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0057.982] GetProcessHeap () returned 0xbc0000 [0057.982] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0057.982] GetProcessHeap () returned 0xbc0000 [0057.982] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0057.982] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0057.982] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5611b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.033] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.033] GetProcessHeap () returned 0xbc0000 [0058.033] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.033] GetProcessHeap () returned 0xbc0000 [0058.033] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.033] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.095] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x564eba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.095] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.096] GetProcessHeap () returned 0xbc0000 [0058.096] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.096] GetProcessHeap () returned 0xbc0000 [0058.096] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.096] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.096] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x568bc30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.103] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.104] GetProcessHeap () returned 0xbc0000 [0058.104] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.104] GetProcessHeap () returned 0xbc0000 [0058.104] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.104] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.104] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.111] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x56c8cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.111] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.111] GetProcessHeap () returned 0xbc0000 [0058.111] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.111] GetProcessHeap () returned 0xbc0000 [0058.111] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.111] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.111] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5705d50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.175] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.175] GetProcessHeap () returned 0xbc0000 [0058.175] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.175] GetProcessHeap () returned 0xbc0000 [0058.175] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.175] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5742de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.182] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.183] GetProcessHeap () returned 0xbc0000 [0058.183] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.183] GetProcessHeap () returned 0xbc0000 [0058.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.183] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x577fe70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.283] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.284] GetProcessHeap () returned 0xbc0000 [0058.284] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.284] GetProcessHeap () returned 0xbc0000 [0058.284] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.284] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.284] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.291] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57bcf00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.291] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.292] GetProcessHeap () returned 0xbc0000 [0058.292] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.292] GetProcessHeap () returned 0xbc0000 [0058.292] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.292] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.292] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.377] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x57f9f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.377] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.378] GetProcessHeap () returned 0xbc0000 [0058.378] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.378] GetProcessHeap () returned 0xbc0000 [0058.378] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.378] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.378] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5837020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.385] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.386] GetProcessHeap () returned 0xbc0000 [0058.386] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.386] GetProcessHeap () returned 0xbc0000 [0058.386] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.386] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.386] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.455] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58740b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.455] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.455] GetProcessHeap () returned 0xbc0000 [0058.456] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.456] GetProcessHeap () returned 0xbc0000 [0058.456] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.456] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.463] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58b1140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.463] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.463] GetProcessHeap () returned 0xbc0000 [0058.463] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.463] GetProcessHeap () returned 0xbc0000 [0058.463] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.463] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.463] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x58ee1d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.523] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.524] GetProcessHeap () returned 0xbc0000 [0058.524] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.524] GetProcessHeap () returned 0xbc0000 [0058.524] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.524] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.524] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x592b260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.532] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.532] GetProcessHeap () returned 0xbc0000 [0058.532] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.532] GetProcessHeap () returned 0xbc0000 [0058.532] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.532] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59682f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.586] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.586] GetProcessHeap () returned 0xbc0000 [0058.586] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.586] GetProcessHeap () returned 0xbc0000 [0058.586] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.586] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59a5380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.594] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.594] GetProcessHeap () returned 0xbc0000 [0058.594] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.594] GetProcessHeap () returned 0xbc0000 [0058.594] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.594] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.701] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x59e2410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.701] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.702] GetProcessHeap () returned 0xbc0000 [0058.702] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.702] GetProcessHeap () returned 0xbc0000 [0058.702] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.702] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.709] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a1f4a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.710] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.710] GetProcessHeap () returned 0xbc0000 [0058.710] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.710] GetProcessHeap () returned 0xbc0000 [0058.710] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.710] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.710] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.761] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a5c530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.762] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.762] GetProcessHeap () returned 0xbc0000 [0058.763] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.763] GetProcessHeap () returned 0xbc0000 [0058.763] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.763] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.763] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.775] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5a995c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.775] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.776] GetProcessHeap () returned 0xbc0000 [0058.776] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.776] GetProcessHeap () returned 0xbc0000 [0058.776] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.776] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.776] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.788] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ad6650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.788] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.788] GetProcessHeap () returned 0xbc0000 [0058.788] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.788] GetProcessHeap () returned 0xbc0000 [0058.789] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.789] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.789] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.852] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b136e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.852] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.852] GetProcessHeap () returned 0xbc0000 [0058.852] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.852] GetProcessHeap () returned 0xbc0000 [0058.852] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.852] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.852] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.898] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b50770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.898] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.899] GetProcessHeap () returned 0xbc0000 [0058.899] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.899] GetProcessHeap () returned 0xbc0000 [0058.899] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.899] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.899] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5b8d800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.906] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.907] GetProcessHeap () returned 0xbc0000 [0058.907] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.907] GetProcessHeap () returned 0xbc0000 [0058.907] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.907] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.907] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0058.914] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5bca890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.914] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0058.915] GetProcessHeap () returned 0xbc0000 [0058.915] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0058.915] GetProcessHeap () returned 0xbc0000 [0058.915] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0058.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0058.915] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c07920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.086] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.086] GetProcessHeap () returned 0xbc0000 [0059.086] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.086] GetProcessHeap () returned 0xbc0000 [0059.086] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.087] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.133] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c449b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.133] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.133] GetProcessHeap () returned 0xbc0000 [0059.133] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.133] GetProcessHeap () returned 0xbc0000 [0059.133] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.133] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.133] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.141] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5c81a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.141] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.141] GetProcessHeap () returned 0xbc0000 [0059.141] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.141] GetProcessHeap () returned 0xbc0000 [0059.141] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.142] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.142] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cbead0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.149] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.149] GetProcessHeap () returned 0xbc0000 [0059.149] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.149] GetProcessHeap () returned 0xbc0000 [0059.149] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.149] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.268] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5cfbb60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.268] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.269] GetProcessHeap () returned 0xbc0000 [0059.269] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.269] GetProcessHeap () returned 0xbc0000 [0059.269] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.269] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.269] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.348] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d38bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.348] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.348] GetProcessHeap () returned 0xbc0000 [0059.348] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.348] GetProcessHeap () returned 0xbc0000 [0059.348] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.349] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.349] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.356] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5d75c80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.356] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.356] GetProcessHeap () returned 0xbc0000 [0059.356] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.356] GetProcessHeap () returned 0xbc0000 [0059.356] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.356] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.356] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.364] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5db2d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.364] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.364] GetProcessHeap () returned 0xbc0000 [0059.364] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.364] GetProcessHeap () returned 0xbc0000 [0059.364] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.364] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.364] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5defda0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.414] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.415] GetProcessHeap () returned 0xbc0000 [0059.415] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.415] GetProcessHeap () returned 0xbc0000 [0059.415] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.415] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.415] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e2ce30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.477] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.477] GetProcessHeap () returned 0xbc0000 [0059.477] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.477] GetProcessHeap () returned 0xbc0000 [0059.477] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.478] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.485] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5e69ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.485] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.485] GetProcessHeap () returned 0xbc0000 [0059.485] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.485] GetProcessHeap () returned 0xbc0000 [0059.485] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.485] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.485] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ea6f50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.493] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.493] GetProcessHeap () returned 0xbc0000 [0059.493] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.493] GetProcessHeap () returned 0xbc0000 [0059.493] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.493] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.493] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.557] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee3fe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.557] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.558] GetProcessHeap () returned 0xbc0000 [0059.558] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.558] GetProcessHeap () returned 0xbc0000 [0059.558] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.559] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f21070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.651] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.652] GetProcessHeap () returned 0xbc0000 [0059.652] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.652] GetProcessHeap () returned 0xbc0000 [0059.652] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.653] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.660] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f5e100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.660] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.660] GetProcessHeap () returned 0xbc0000 [0059.660] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.660] GetProcessHeap () returned 0xbc0000 [0059.660] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.660] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.661] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5f9b190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.668] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.668] GetProcessHeap () returned 0xbc0000 [0059.668] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.668] GetProcessHeap () returned 0xbc0000 [0059.668] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.668] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5fd8220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.676] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.676] GetProcessHeap () returned 0xbc0000 [0059.676] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.676] GetProcessHeap () returned 0xbc0000 [0059.676] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.676] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60152b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.742] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.743] GetProcessHeap () returned 0xbc0000 [0059.743] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.743] GetProcessHeap () returned 0xbc0000 [0059.743] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.743] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6052340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.750] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.750] GetProcessHeap () returned 0xbc0000 [0059.750] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.750] GetProcessHeap () returned 0xbc0000 [0059.750] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.750] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.758] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x608f3d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.758] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.758] GetProcessHeap () returned 0xbc0000 [0059.758] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.758] GetProcessHeap () returned 0xbc0000 [0059.758] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.758] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.758] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.765] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x60cc460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.765] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.765] GetProcessHeap () returned 0xbc0000 [0059.765] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.765] GetProcessHeap () returned 0xbc0000 [0059.765] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.765] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.766] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.827] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61094f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.827] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.827] GetProcessHeap () returned 0xbc0000 [0059.827] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.827] GetProcessHeap () returned 0xbc0000 [0059.827] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.828] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.828] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0059.992] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6146580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.992] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0059.992] GetProcessHeap () returned 0xbc0000 [0059.992] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0059.992] GetProcessHeap () returned 0xbc0000 [0059.993] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0059.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0059.993] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6183610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.000] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.000] GetProcessHeap () returned 0xbc0000 [0060.000] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.000] GetProcessHeap () returned 0xbc0000 [0060.000] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.000] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.000] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.008] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61c06a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.008] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.009] GetProcessHeap () returned 0xbc0000 [0060.009] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.009] GetProcessHeap () returned 0xbc0000 [0060.009] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.009] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.098] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x61fd730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.099] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.100] GetProcessHeap () returned 0xbc0000 [0060.100] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.100] GetProcessHeap () returned 0xbc0000 [0060.100] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.100] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.101] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.148] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x623a7c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.148] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.149] GetProcessHeap () returned 0xbc0000 [0060.149] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.149] GetProcessHeap () returned 0xbc0000 [0060.149] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.149] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.156] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6277850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.156] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.157] GetProcessHeap () returned 0xbc0000 [0060.157] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.157] GetProcessHeap () returned 0xbc0000 [0060.157] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.157] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.157] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.164] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62b48e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.164] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.165] GetProcessHeap () returned 0xbc0000 [0060.165] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.165] GetProcessHeap () returned 0xbc0000 [0060.165] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.165] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x62f1970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.343] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.344] GetProcessHeap () returned 0xbc0000 [0060.345] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.345] GetProcessHeap () returned 0xbc0000 [0060.345] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.345] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.345] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x632ea00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.355] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.355] GetProcessHeap () returned 0xbc0000 [0060.355] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.355] GetProcessHeap () returned 0xbc0000 [0060.355] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.355] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x636ba90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.363] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.363] GetProcessHeap () returned 0xbc0000 [0060.363] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.363] GetProcessHeap () returned 0xbc0000 [0060.363] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.363] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63a8b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.371] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.371] GetProcessHeap () returned 0xbc0000 [0060.371] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.371] GetProcessHeap () returned 0xbc0000 [0060.371] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.371] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.429] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x63e5bb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.430] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.431] GetProcessHeap () returned 0xbc0000 [0060.431] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.431] GetProcessHeap () returned 0xbc0000 [0060.431] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.431] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6422c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.477] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.477] GetProcessHeap () returned 0xbc0000 [0060.477] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.477] GetProcessHeap () returned 0xbc0000 [0060.477] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.477] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.483] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x645fcd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.483] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.483] GetProcessHeap () returned 0xbc0000 [0060.483] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.483] GetProcessHeap () returned 0xbc0000 [0060.484] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.484] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x649cd60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.923] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.924] GetProcessHeap () returned 0xbc0000 [0060.924] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.924] GetProcessHeap () returned 0xbc0000 [0060.924] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.924] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x64d9df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.932] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.932] GetProcessHeap () returned 0xbc0000 [0060.933] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.933] GetProcessHeap () returned 0xbc0000 [0060.933] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.933] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6516e80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.946] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.947] GetProcessHeap () returned 0xbc0000 [0060.947] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.947] GetProcessHeap () returned 0xbc0000 [0060.947] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.947] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0060.953] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6553f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.953] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0060.953] GetProcessHeap () returned 0xbc0000 [0060.953] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0060.953] GetProcessHeap () returned 0xbc0000 [0060.953] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0060.953] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0060.953] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6590fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.009] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.010] GetProcessHeap () returned 0xbc0000 [0061.010] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.010] GetProcessHeap () returned 0xbc0000 [0061.010] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.010] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x65ce030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.065] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.066] GetProcessHeap () returned 0xbc0000 [0061.066] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.066] GetProcessHeap () returned 0xbc0000 [0061.066] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.066] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.066] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.077] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x660b0c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.077] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.078] GetProcessHeap () returned 0xbc0000 [0061.078] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.078] GetProcessHeap () returned 0xbc0000 [0061.078] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.078] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.164] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6648150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.164] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.165] GetProcessHeap () returned 0xbc0000 [0061.165] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.165] GetProcessHeap () returned 0xbc0000 [0061.165] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.165] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.249] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66851e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.249] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.249] GetProcessHeap () returned 0xbc0000 [0061.249] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.249] GetProcessHeap () returned 0xbc0000 [0061.249] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.249] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.250] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.255] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66c2270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.256] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.256] GetProcessHeap () returned 0xbc0000 [0061.256] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.256] GetProcessHeap () returned 0xbc0000 [0061.256] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.256] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.256] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.311] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x66ff300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.311] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.312] GetProcessHeap () returned 0xbc0000 [0061.312] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.312] GetProcessHeap () returned 0xbc0000 [0061.312] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.312] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.313] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x673c390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.368] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.368] GetProcessHeap () returned 0xbc0000 [0061.368] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.368] GetProcessHeap () returned 0xbc0000 [0061.368] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.368] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.374] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6779420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.374] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.375] GetProcessHeap () returned 0xbc0000 [0061.375] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.375] GetProcessHeap () returned 0xbc0000 [0061.375] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.375] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.375] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67b64b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.431] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.431] GetProcessHeap () returned 0xbc0000 [0061.431] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.431] GetProcessHeap () returned 0xbc0000 [0061.431] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.431] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x67f3540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.448] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.449] GetProcessHeap () returned 0xbc0000 [0061.449] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.449] GetProcessHeap () returned 0xbc0000 [0061.449] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.449] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.449] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.501] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68305d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.501] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.501] GetProcessHeap () returned 0xbc0000 [0061.501] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.501] GetProcessHeap () returned 0xbc0000 [0061.501] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.501] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.501] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.555] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x686d660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.555] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.556] GetProcessHeap () returned 0xbc0000 [0061.556] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.556] GetProcessHeap () returned 0xbc0000 [0061.556] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.556] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.556] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.563] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68aa6f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.563] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.564] GetProcessHeap () returned 0xbc0000 [0061.564] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.564] GetProcessHeap () returned 0xbc0000 [0061.564] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.564] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x68e7780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.620] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.621] GetProcessHeap () returned 0xbc0000 [0061.621] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.621] GetProcessHeap () returned 0xbc0000 [0061.621] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.621] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.621] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.666] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6924810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.666] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.666] GetProcessHeap () returned 0xbc0000 [0061.666] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.666] GetProcessHeap () returned 0xbc0000 [0061.666] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.667] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.667] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.675] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69618a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.675] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.675] GetProcessHeap () returned 0xbc0000 [0061.675] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.675] GetProcessHeap () returned 0xbc0000 [0061.675] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.676] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x699e930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.682] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.682] GetProcessHeap () returned 0xbc0000 [0061.682] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.682] GetProcessHeap () returned 0xbc0000 [0061.682] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.682] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.682] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.740] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x69db9c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.740] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.741] GetProcessHeap () returned 0xbc0000 [0061.741] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.741] GetProcessHeap () returned 0xbc0000 [0061.741] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.741] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.741] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.801] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a18a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.802] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.802] GetProcessHeap () returned 0xbc0000 [0061.802] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.802] GetProcessHeap () returned 0xbc0000 [0061.802] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.802] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.808] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a55ae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.808] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.808] GetProcessHeap () returned 0xbc0000 [0061.808] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.808] GetProcessHeap () returned 0xbc0000 [0061.809] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.809] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.809] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6a92b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.900] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.900] GetProcessHeap () returned 0xbc0000 [0061.900] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.900] GetProcessHeap () returned 0xbc0000 [0061.900] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.900] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6acfc00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.946] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.946] GetProcessHeap () returned 0xbc0000 [0061.946] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.946] GetProcessHeap () returned 0xbc0000 [0061.946] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.947] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0061.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b0cc90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.958] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0061.958] GetProcessHeap () returned 0xbc0000 [0061.958] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0061.958] GetProcessHeap () returned 0xbc0000 [0061.958] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0061.959] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0061.959] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b49d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.009] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.088] GetProcessHeap () returned 0xbc0000 [0062.088] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.088] GetProcessHeap () returned 0xbc0000 [0062.088] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.088] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6b86db0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.094] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.094] GetProcessHeap () returned 0xbc0000 [0062.094] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.094] GetProcessHeap () returned 0xbc0000 [0062.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.094] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.151] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6bc3e40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.151] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.151] GetProcessHeap () returned 0xbc0000 [0062.151] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.151] GetProcessHeap () returned 0xbc0000 [0062.151] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.151] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.151] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c00ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.165] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.166] GetProcessHeap () returned 0xbc0000 [0062.166] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.166] GetProcessHeap () returned 0xbc0000 [0062.166] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.166] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.174] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c3df60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.362] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.363] GetProcessHeap () returned 0xbc0000 [0062.363] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.363] GetProcessHeap () returned 0xbc0000 [0062.363] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.363] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.369] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6c7aff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.369] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.370] GetProcessHeap () returned 0xbc0000 [0062.371] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.371] GetProcessHeap () returned 0xbc0000 [0062.371] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.371] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.376] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cb8080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.376] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.377] GetProcessHeap () returned 0xbc0000 [0062.377] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.377] GetProcessHeap () returned 0xbc0000 [0062.377] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.377] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.377] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.438] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6cf5110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.438] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.439] GetProcessHeap () returned 0xbc0000 [0062.439] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.439] GetProcessHeap () returned 0xbc0000 [0062.439] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.439] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.445] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d321a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.445] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.446] GetProcessHeap () returned 0xbc0000 [0062.446] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.446] GetProcessHeap () returned 0xbc0000 [0062.446] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.446] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.446] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6d6f230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.495] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.495] GetProcessHeap () returned 0xbc0000 [0062.495] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.495] GetProcessHeap () returned 0xbc0000 [0062.495] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.495] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.496] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.502] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6dac2c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.502] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.503] GetProcessHeap () returned 0xbc0000 [0062.503] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.503] GetProcessHeap () returned 0xbc0000 [0062.503] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.503] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.503] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.561] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6de9350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.561] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.562] GetProcessHeap () returned 0xbc0000 [0062.562] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.562] GetProcessHeap () returned 0xbc0000 [0062.562] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.562] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.562] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e263e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.568] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.568] GetProcessHeap () returned 0xbc0000 [0062.568] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.568] GetProcessHeap () returned 0xbc0000 [0062.568] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.568] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.569] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.619] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6e63470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.619] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.620] GetProcessHeap () returned 0xbc0000 [0062.620] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.620] GetProcessHeap () returned 0xbc0000 [0062.620] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.620] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.620] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6ea0500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.668] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.668] GetProcessHeap () returned 0xbc0000 [0062.668] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.668] GetProcessHeap () returned 0xbc0000 [0062.668] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.668] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6edd590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.676] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.676] GetProcessHeap () returned 0xbc0000 [0062.676] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.676] GetProcessHeap () returned 0xbc0000 [0062.676] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.676] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f1a620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.689] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.689] GetProcessHeap () returned 0xbc0000 [0062.689] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.689] GetProcessHeap () returned 0xbc0000 [0062.689] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.689] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.744] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f576b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.745] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.745] GetProcessHeap () returned 0xbc0000 [0062.745] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.745] GetProcessHeap () returned 0xbc0000 [0062.745] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.745] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.745] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.753] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6f94740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.753] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.753] GetProcessHeap () returned 0xbc0000 [0062.753] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.753] GetProcessHeap () returned 0xbc0000 [0062.753] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.753] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.753] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.759] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x6fd17d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.759] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.760] GetProcessHeap () returned 0xbc0000 [0062.760] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.760] GetProcessHeap () returned 0xbc0000 [0062.760] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.760] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.760] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.821] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x700e860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.821] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.822] GetProcessHeap () returned 0xbc0000 [0062.822] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.822] GetProcessHeap () returned 0xbc0000 [0062.822] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.822] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.822] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.829] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x704b8f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.829] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.829] GetProcessHeap () returned 0xbc0000 [0062.829] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.829] GetProcessHeap () returned 0xbc0000 [0062.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.829] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.829] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.835] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7088980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.835] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.836] GetProcessHeap () returned 0xbc0000 [0062.836] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.836] GetProcessHeap () returned 0xbc0000 [0062.836] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.836] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.836] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0062.930] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x70c5a10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.930] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0062.931] GetProcessHeap () returned 0xbc0000 [0062.931] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0062.931] GetProcessHeap () returned 0xbc0000 [0062.931] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0062.931] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0062.931] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.008] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7102aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.008] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.009] GetProcessHeap () returned 0xbc0000 [0063.009] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.009] GetProcessHeap () returned 0xbc0000 [0063.009] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.009] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.016] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x713fb30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.016] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.016] GetProcessHeap () returned 0xbc0000 [0063.016] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.016] GetProcessHeap () returned 0xbc0000 [0063.016] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.017] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.017] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x717cbc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.024] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.024] GetProcessHeap () returned 0xbc0000 [0063.024] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.024] GetProcessHeap () returned 0xbc0000 [0063.024] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.024] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.031] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71b9c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.032] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.032] GetProcessHeap () returned 0xbc0000 [0063.032] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.032] GetProcessHeap () returned 0xbc0000 [0063.032] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.032] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.032] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.093] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x71f6ce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.093] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.094] GetProcessHeap () returned 0xbc0000 [0063.094] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.094] GetProcessHeap () returned 0xbc0000 [0063.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.094] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.102] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7233d70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.102] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.103] GetProcessHeap () returned 0xbc0000 [0063.103] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.103] GetProcessHeap () returned 0xbc0000 [0063.103] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.103] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.103] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.110] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7270e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.110] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.110] GetProcessHeap () returned 0xbc0000 [0063.110] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.110] GetProcessHeap () returned 0xbc0000 [0063.110] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.110] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.110] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.117] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72ade90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.117] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.118] GetProcessHeap () returned 0xbc0000 [0063.118] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.118] GetProcessHeap () returned 0xbc0000 [0063.118] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.118] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.118] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.164] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x72eaf20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.164] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.166] GetProcessHeap () returned 0xbc0000 [0063.166] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.166] GetProcessHeap () returned 0xbc0000 [0063.166] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.166] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.173] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7327fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.173] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.173] GetProcessHeap () returned 0xbc0000 [0063.173] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.173] GetProcessHeap () returned 0xbc0000 [0063.173] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.173] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.173] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.180] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7365040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.180] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.181] GetProcessHeap () returned 0xbc0000 [0063.181] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.181] GetProcessHeap () returned 0xbc0000 [0063.181] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.181] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.181] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73a20d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.187] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.188] GetProcessHeap () returned 0xbc0000 [0063.188] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.188] GetProcessHeap () returned 0xbc0000 [0063.188] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.188] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.188] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x73df160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.322] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.322] GetProcessHeap () returned 0xbc0000 [0063.322] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.322] GetProcessHeap () returned 0xbc0000 [0063.322] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.322] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x741c1f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.385] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.385] GetProcessHeap () returned 0xbc0000 [0063.385] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.385] GetProcessHeap () returned 0xbc0000 [0063.385] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.385] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7459280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.476] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.476] GetProcessHeap () returned 0xbc0000 [0063.476] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.477] GetProcessHeap () returned 0xbc0000 [0063.477] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.477] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7496310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.484] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.484] GetProcessHeap () returned 0xbc0000 [0063.484] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.484] GetProcessHeap () returned 0xbc0000 [0063.484] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.484] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x74d33a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.540] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.540] GetProcessHeap () returned 0xbc0000 [0063.540] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.540] GetProcessHeap () returned 0xbc0000 [0063.540] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.540] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.540] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.601] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7510430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.601] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.602] GetProcessHeap () returned 0xbc0000 [0063.602] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.602] GetProcessHeap () returned 0xbc0000 [0063.602] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.602] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.609] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x754d4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.609] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.610] GetProcessHeap () returned 0xbc0000 [0063.610] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.610] GetProcessHeap () returned 0xbc0000 [0063.610] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.610] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.610] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.618] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x758a550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.618] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.619] GetProcessHeap () returned 0xbc0000 [0063.619] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.619] GetProcessHeap () returned 0xbc0000 [0063.619] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.619] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.619] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75c75e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.702] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.703] GetProcessHeap () returned 0xbc0000 [0063.703] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.703] GetProcessHeap () returned 0xbc0000 [0063.703] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.703] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.703] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7604670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.792] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.792] GetProcessHeap () returned 0xbc0000 [0063.792] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.792] GetProcessHeap () returned 0xbc0000 [0063.792] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.792] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.792] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.800] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7641700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.800] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.801] GetProcessHeap () returned 0xbc0000 [0063.801] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.801] GetProcessHeap () returned 0xbc0000 [0063.801] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.801] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.801] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.808] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x767e790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.808] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.808] GetProcessHeap () returned 0xbc0000 [0063.808] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.808] GetProcessHeap () returned 0xbc0000 [0063.808] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.808] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.808] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76bb820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.883] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.884] GetProcessHeap () returned 0xbc0000 [0063.884] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.884] GetProcessHeap () returned 0xbc0000 [0063.884] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.884] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.949] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76f88b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.949] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.950] GetProcessHeap () returned 0xbc0000 [0063.950] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.950] GetProcessHeap () returned 0xbc0000 [0063.950] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.950] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.957] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7735940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.957] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.958] GetProcessHeap () returned 0xbc0000 [0063.958] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.958] GetProcessHeap () returned 0xbc0000 [0063.958] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.958] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0063.964] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77729d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.965] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0063.965] GetProcessHeap () returned 0xbc0000 [0063.965] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0063.965] GetProcessHeap () returned 0xbc0000 [0063.965] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0063.965] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0063.965] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.056] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77afa60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.056] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.057] GetProcessHeap () returned 0xbc0000 [0064.057] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.057] GetProcessHeap () returned 0xbc0000 [0064.057] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.057] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77ecaf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.114] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.115] GetProcessHeap () returned 0xbc0000 [0064.116] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.116] GetProcessHeap () returned 0xbc0000 [0064.116] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.116] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.116] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.123] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7829b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.123] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.123] GetProcessHeap () returned 0xbc0000 [0064.123] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.123] GetProcessHeap () returned 0xbc0000 [0064.123] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.123] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.123] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.130] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7866c10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.130] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.131] GetProcessHeap () returned 0xbc0000 [0064.131] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.131] GetProcessHeap () returned 0xbc0000 [0064.131] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.131] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78a3ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.182] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.182] GetProcessHeap () returned 0xbc0000 [0064.182] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.182] GetProcessHeap () returned 0xbc0000 [0064.182] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.182] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.182] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.189] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x78e0d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.189] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.190] GetProcessHeap () returned 0xbc0000 [0064.190] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.190] GetProcessHeap () returned 0xbc0000 [0064.190] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.190] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.190] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x791ddc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.278] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.278] GetProcessHeap () returned 0xbc0000 [0064.278] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.278] GetProcessHeap () returned 0xbc0000 [0064.278] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.278] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.285] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x795ae50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.285] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.285] GetProcessHeap () returned 0xbc0000 [0064.285] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.285] GetProcessHeap () returned 0xbc0000 [0064.285] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.286] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.286] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.292] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7997ee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.292] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.293] GetProcessHeap () returned 0xbc0000 [0064.293] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.293] GetProcessHeap () returned 0xbc0000 [0064.293] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.293] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.293] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.383] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x79d4f70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.383] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.383] GetProcessHeap () returned 0xbc0000 [0064.383] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.383] GetProcessHeap () returned 0xbc0000 [0064.383] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.383] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.384] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.528] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a12000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.528] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.528] GetProcessHeap () returned 0xbc0000 [0064.528] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.528] GetProcessHeap () returned 0xbc0000 [0064.528] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.528] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.529] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.535] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a4f090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.535] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.536] GetProcessHeap () returned 0xbc0000 [0064.536] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.536] GetProcessHeap () returned 0xbc0000 [0064.536] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.536] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.536] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.543] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7a8c120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.543] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.543] GetProcessHeap () returned 0xbc0000 [0064.543] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.543] GetProcessHeap () returned 0xbc0000 [0064.543] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.543] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.543] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ac91b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.677] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.677] GetProcessHeap () returned 0xbc0000 [0064.677] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.677] GetProcessHeap () returned 0xbc0000 [0064.677] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.677] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.677] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b06240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.734] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.735] GetProcessHeap () returned 0xbc0000 [0064.735] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.735] GetProcessHeap () returned 0xbc0000 [0064.735] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.735] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b432d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.742] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.742] GetProcessHeap () returned 0xbc0000 [0064.742] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.742] GetProcessHeap () returned 0xbc0000 [0064.742] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.742] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.742] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.749] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7b80360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.750] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.750] GetProcessHeap () returned 0xbc0000 [0064.750] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.750] GetProcessHeap () returned 0xbc0000 [0064.750] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.750] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.757] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bbd3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.757] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.758] GetProcessHeap () returned 0xbc0000 [0064.758] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.758] GetProcessHeap () returned 0xbc0000 [0064.758] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.758] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.758] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.799] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7bfa480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.799] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.802] GetProcessHeap () returned 0xbc0000 [0064.802] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.802] GetProcessHeap () returned 0xbc0000 [0064.802] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.802] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.809] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c37510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.809] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.809] GetProcessHeap () returned 0xbc0000 [0064.809] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.809] GetProcessHeap () returned 0xbc0000 [0064.809] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.809] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.809] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.817] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7c745a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.817] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.817] GetProcessHeap () returned 0xbc0000 [0064.817] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.817] GetProcessHeap () returned 0xbc0000 [0064.817] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.817] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.817] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.824] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cb1630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.824] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.824] GetProcessHeap () returned 0xbc0000 [0064.824] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.824] GetProcessHeap () returned 0xbc0000 [0064.825] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.825] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.874] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7cee6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.874] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.875] GetProcessHeap () returned 0xbc0000 [0064.875] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.875] GetProcessHeap () returned 0xbc0000 [0064.875] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.875] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.875] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d2b750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.883] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.883] GetProcessHeap () returned 0xbc0000 [0064.883] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.883] GetProcessHeap () returned 0xbc0000 [0064.883] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.883] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.890] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7d687e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.890] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.891] GetProcessHeap () returned 0xbc0000 [0064.891] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.891] GetProcessHeap () returned 0xbc0000 [0064.891] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.891] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.891] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.899] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7da5870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.899] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.899] GetProcessHeap () returned 0xbc0000 [0064.899] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.899] GetProcessHeap () returned 0xbc0000 [0064.899] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.899] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.899] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7de2900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.926] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.927] GetProcessHeap () returned 0xbc0000 [0064.927] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.927] GetProcessHeap () returned 0xbc0000 [0064.927] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.927] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.927] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e1f990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.934] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.935] GetProcessHeap () returned 0xbc0000 [0064.935] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.935] GetProcessHeap () returned 0xbc0000 [0064.935] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.935] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.935] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.942] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e5ca20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.942] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.942] GetProcessHeap () returned 0xbc0000 [0064.942] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.942] GetProcessHeap () returned 0xbc0000 [0064.942] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.942] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.942] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.949] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7e99ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.949] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.950] GetProcessHeap () returned 0xbc0000 [0064.950] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.950] GetProcessHeap () returned 0xbc0000 [0064.950] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.950] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.950] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0064.980] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7ed6b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.980] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0064.980] GetProcessHeap () returned 0xbc0000 [0064.980] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0064.980] GetProcessHeap () returned 0xbc0000 [0064.980] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0064.981] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0064.981] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.004] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f13bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.004] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.004] GetProcessHeap () returned 0xbc0000 [0065.004] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.004] GetProcessHeap () returned 0xbc0000 [0065.004] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.004] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.004] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f50c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.011] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.012] GetProcessHeap () returned 0xbc0000 [0065.012] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.012] GetProcessHeap () returned 0xbc0000 [0065.012] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.012] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.018] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7f8dcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.018] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.019] GetProcessHeap () returned 0xbc0000 [0065.019] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.019] GetProcessHeap () returned 0xbc0000 [0065.019] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.019] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.034] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x7fcad80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.034] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.034] GetProcessHeap () returned 0xbc0000 [0065.035] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.035] GetProcessHeap () returned 0xbc0000 [0065.035] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.035] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.035] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.051] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8007e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.051] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.051] GetProcessHeap () returned 0xbc0000 [0065.051] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.052] GetProcessHeap () returned 0xbc0000 [0065.052] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.052] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.058] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8044ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.058] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.059] GetProcessHeap () returned 0xbc0000 [0065.059] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.059] GetProcessHeap () returned 0xbc0000 [0065.059] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.059] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8081f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.066] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.066] GetProcessHeap () returned 0xbc0000 [0065.066] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.066] GetProcessHeap () returned 0xbc0000 [0065.066] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.066] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.066] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80befc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.073] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.091] GetProcessHeap () returned 0xbc0000 [0065.091] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.097] GetProcessHeap () returned 0xbc0000 [0065.097] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.097] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.097] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x80fc050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.149] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.151] GetProcessHeap () returned 0xbc0000 [0065.151] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.151] GetProcessHeap () returned 0xbc0000 [0065.151] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.151] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.151] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81390e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.158] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.158] GetProcessHeap () returned 0xbc0000 [0065.158] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.158] GetProcessHeap () returned 0xbc0000 [0065.158] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.158] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.165] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8176170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.165] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.166] GetProcessHeap () returned 0xbc0000 [0065.166] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.166] GetProcessHeap () returned 0xbc0000 [0065.166] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.166] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.173] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81b3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.173] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.174] GetProcessHeap () returned 0xbc0000 [0065.174] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.174] GetProcessHeap () returned 0xbc0000 [0065.174] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.174] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.174] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.275] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x81f0290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.275] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.276] GetProcessHeap () returned 0xbc0000 [0065.276] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.276] GetProcessHeap () returned 0xbc0000 [0065.276] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.276] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.276] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x822d320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.283] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.283] GetProcessHeap () returned 0xbc0000 [0065.283] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.283] GetProcessHeap () returned 0xbc0000 [0065.283] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.283] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.283] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.291] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x826a3b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.291] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.291] GetProcessHeap () returned 0xbc0000 [0065.291] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.291] GetProcessHeap () returned 0xbc0000 [0065.291] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.291] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.291] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.299] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82a7440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.299] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.360] GetProcessHeap () returned 0xbc0000 [0065.360] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.360] GetProcessHeap () returned 0xbc0000 [0065.360] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.360] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.360] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x82e44d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.431] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.432] GetProcessHeap () returned 0xbc0000 [0065.432] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.432] GetProcessHeap () returned 0xbc0000 [0065.432] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.432] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.432] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8321560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.439] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.440] GetProcessHeap () returned 0xbc0000 [0065.440] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.440] GetProcessHeap () returned 0xbc0000 [0065.440] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.440] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.440] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x835e5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.447] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.447] GetProcessHeap () returned 0xbc0000 [0065.447] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.447] GetProcessHeap () returned 0xbc0000 [0065.447] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.447] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.454] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x839b680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.454] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.455] GetProcessHeap () returned 0xbc0000 [0065.455] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.455] GetProcessHeap () returned 0xbc0000 [0065.455] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.455] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.455] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.509] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x83d8710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.509] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.510] GetProcessHeap () returned 0xbc0000 [0065.510] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.510] GetProcessHeap () returned 0xbc0000 [0065.510] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.510] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.510] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84157a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.571] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.572] GetProcessHeap () returned 0xbc0000 [0065.572] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.572] GetProcessHeap () returned 0xbc0000 [0065.572] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.572] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8452830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.579] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.579] GetProcessHeap () returned 0xbc0000 [0065.579] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.579] GetProcessHeap () returned 0xbc0000 [0065.579] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.579] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x848f8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.586] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.587] GetProcessHeap () returned 0xbc0000 [0065.587] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.587] GetProcessHeap () returned 0xbc0000 [0065.587] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.587] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x84cc950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.650] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.650] GetProcessHeap () returned 0xbc0000 [0065.650] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.650] GetProcessHeap () returned 0xbc0000 [0065.650] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.651] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85099e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.712] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.713] GetProcessHeap () returned 0xbc0000 [0065.713] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.713] GetProcessHeap () returned 0xbc0000 [0065.713] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.713] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.713] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.720] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8546a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.720] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.721] GetProcessHeap () returned 0xbc0000 [0065.721] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.721] GetProcessHeap () returned 0xbc0000 [0065.721] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.721] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.728] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8583b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.728] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.728] GetProcessHeap () returned 0xbc0000 [0065.728] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.728] GetProcessHeap () returned 0xbc0000 [0065.728] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.728] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.728] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.736] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85c0b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.736] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.736] GetProcessHeap () returned 0xbc0000 [0065.736] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.736] GetProcessHeap () returned 0xbc0000 [0065.736] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.736] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.736] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.823] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x85fdc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.823] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.824] GetProcessHeap () returned 0xbc0000 [0065.824] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.824] GetProcessHeap () returned 0xbc0000 [0065.824] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.824] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.824] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x863acb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.832] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.832] GetProcessHeap () returned 0xbc0000 [0065.832] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.832] GetProcessHeap () returned 0xbc0000 [0065.832] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.832] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.839] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8677d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.839] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.840] GetProcessHeap () returned 0xbc0000 [0065.840] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.840] GetProcessHeap () returned 0xbc0000 [0065.840] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.840] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.840] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.847] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86b4dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.847] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.847] GetProcessHeap () returned 0xbc0000 [0065.847] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.847] GetProcessHeap () returned 0xbc0000 [0065.847] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.847] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.847] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.918] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x86f1e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.918] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.919] GetProcessHeap () returned 0xbc0000 [0065.919] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.919] GetProcessHeap () returned 0xbc0000 [0065.919] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.919] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.919] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x872eef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.926] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.926] GetProcessHeap () returned 0xbc0000 [0065.926] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.926] GetProcessHeap () returned 0xbc0000 [0065.926] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.926] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.926] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x876bf80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.933] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.934] GetProcessHeap () returned 0xbc0000 [0065.934] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.934] GetProcessHeap () returned 0xbc0000 [0065.934] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.934] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0065.941] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87a9010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.942] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0065.942] GetProcessHeap () returned 0xbc0000 [0065.942] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0065.942] GetProcessHeap () returned 0xbc0000 [0065.942] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0065.942] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0065.942] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.041] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x87e60a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.041] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.042] GetProcessHeap () returned 0xbc0000 [0066.042] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.042] GetProcessHeap () returned 0xbc0000 [0066.042] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.042] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.042] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.049] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8823130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.049] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.049] GetProcessHeap () returned 0xbc0000 [0066.049] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.049] GetProcessHeap () returned 0xbc0000 [0066.049] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.049] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.049] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.056] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88601c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.056] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.057] GetProcessHeap () returned 0xbc0000 [0066.057] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.057] GetProcessHeap () returned 0xbc0000 [0066.057] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.057] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.064] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x889d250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.064] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.064] GetProcessHeap () returned 0xbc0000 [0066.064] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.064] GetProcessHeap () returned 0xbc0000 [0066.064] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.064] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.064] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.120] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x88da2e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.120] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.120] GetProcessHeap () returned 0xbc0000 [0066.120] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.120] GetProcessHeap () returned 0xbc0000 [0066.120] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.120] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.121] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.167] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8917370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.167] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.168] GetProcessHeap () returned 0xbc0000 [0066.168] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.168] GetProcessHeap () returned 0xbc0000 [0066.168] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.168] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.168] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8954400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.175] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.176] GetProcessHeap () returned 0xbc0000 [0066.176] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.176] GetProcessHeap () returned 0xbc0000 [0066.176] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.176] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.176] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8991490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.183] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.183] GetProcessHeap () returned 0xbc0000 [0066.183] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.183] GetProcessHeap () returned 0xbc0000 [0066.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.183] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.197] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x89ce520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.197] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.198] GetProcessHeap () returned 0xbc0000 [0066.198] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.198] GetProcessHeap () returned 0xbc0000 [0066.198] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.198] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.198] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a0b5b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.335] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.335] GetProcessHeap () returned 0xbc0000 [0066.335] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.335] GetProcessHeap () returned 0xbc0000 [0066.335] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.335] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.335] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.342] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a48640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.342] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.343] GetProcessHeap () returned 0xbc0000 [0066.343] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.343] GetProcessHeap () returned 0xbc0000 [0066.343] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.343] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.343] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8a856d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.363] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.363] GetProcessHeap () returned 0xbc0000 [0066.363] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.363] GetProcessHeap () returned 0xbc0000 [0066.363] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.363] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.364] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ac2760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.371] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.371] GetProcessHeap () returned 0xbc0000 [0066.371] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.371] GetProcessHeap () returned 0xbc0000 [0066.371] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.372] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.372] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.420] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8aff7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.420] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.421] GetProcessHeap () returned 0xbc0000 [0066.421] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.421] GetProcessHeap () returned 0xbc0000 [0066.421] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.421] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.421] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.428] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b3c880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.428] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.429] GetProcessHeap () returned 0xbc0000 [0066.429] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.429] GetProcessHeap () returned 0xbc0000 [0066.429] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.429] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.429] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.436] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8b79910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.436] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.436] GetProcessHeap () returned 0xbc0000 [0066.436] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.436] GetProcessHeap () returned 0xbc0000 [0066.436] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.436] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.436] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.444] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bb69a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.444] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.445] GetProcessHeap () returned 0xbc0000 [0066.445] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.445] GetProcessHeap () returned 0xbc0000 [0066.445] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.445] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.445] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8bf3a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.476] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.477] GetProcessHeap () returned 0xbc0000 [0066.477] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.477] GetProcessHeap () returned 0xbc0000 [0066.477] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.477] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c30ac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.484] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.485] GetProcessHeap () returned 0xbc0000 [0066.485] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.485] GetProcessHeap () returned 0xbc0000 [0066.485] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.485] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.485] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8c6db50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.492] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.493] GetProcessHeap () returned 0xbc0000 [0066.493] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.493] GetProcessHeap () returned 0xbc0000 [0066.493] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.493] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.493] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.500] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8caabe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.500] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.500] GetProcessHeap () returned 0xbc0000 [0066.501] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.501] GetProcessHeap () returned 0xbc0000 [0066.501] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.501] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.501] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.521] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ce7c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.521] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.522] GetProcessHeap () returned 0xbc0000 [0066.522] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.522] GetProcessHeap () returned 0xbc0000 [0066.522] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.522] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.529] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d24d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.529] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.529] GetProcessHeap () returned 0xbc0000 [0066.529] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.529] GetProcessHeap () returned 0xbc0000 [0066.529] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.529] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.530] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.536] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d61d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.536] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.536] GetProcessHeap () returned 0xbc0000 [0066.536] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.536] GetProcessHeap () returned 0xbc0000 [0066.537] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.537] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.537] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8d9ee20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.544] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.544] GetProcessHeap () returned 0xbc0000 [0066.544] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.544] GetProcessHeap () returned 0xbc0000 [0066.544] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.544] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.565] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ddbeb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.565] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.565] GetProcessHeap () returned 0xbc0000 [0066.565] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.565] GetProcessHeap () returned 0xbc0000 [0066.565] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.565] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.565] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.607] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e18f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.607] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.607] GetProcessHeap () returned 0xbc0000 [0066.608] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.608] GetProcessHeap () returned 0xbc0000 [0066.608] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.608] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.608] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.616] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e55fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.616] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.617] GetProcessHeap () returned 0xbc0000 [0066.617] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.617] GetProcessHeap () returned 0xbc0000 [0066.617] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.617] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.617] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.624] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8e93060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.624] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.624] GetProcessHeap () returned 0xbc0000 [0066.624] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.624] GetProcessHeap () returned 0xbc0000 [0066.624] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.624] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.624] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8ed00f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.634] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.634] GetProcessHeap () returned 0xbc0000 [0066.634] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.634] GetProcessHeap () returned 0xbc0000 [0066.634] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.634] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.634] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.653] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f0d180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.653] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.653] GetProcessHeap () returned 0xbc0000 [0066.653] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.653] GetProcessHeap () returned 0xbc0000 [0066.653] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.653] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.654] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.661] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f4a210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.661] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.661] GetProcessHeap () returned 0xbc0000 [0066.661] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.661] GetProcessHeap () returned 0xbc0000 [0066.661] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.661] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.661] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8f872a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.668] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.668] GetProcessHeap () returned 0xbc0000 [0066.669] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.669] GetProcessHeap () returned 0xbc0000 [0066.669] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.669] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.669] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.689] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x8fc4330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.689] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.690] GetProcessHeap () returned 0xbc0000 [0066.690] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.690] GetProcessHeap () returned 0xbc0000 [0066.690] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.690] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.690] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90013c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.704] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.704] GetProcessHeap () returned 0xbc0000 [0066.704] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.704] GetProcessHeap () returned 0xbc0000 [0066.704] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.704] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x903e450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.712] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.712] GetProcessHeap () returned 0xbc0000 [0066.712] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.712] GetProcessHeap () returned 0xbc0000 [0066.712] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.712] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.719] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x907b4e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.720] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.720] GetProcessHeap () returned 0xbc0000 [0066.720] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.720] GetProcessHeap () returned 0xbc0000 [0066.720] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.720] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.720] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.727] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90b8570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.727] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.728] GetProcessHeap () returned 0xbc0000 [0066.728] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.728] GetProcessHeap () returned 0xbc0000 [0066.728] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.728] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.728] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.747] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x90f5600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.747] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.748] GetProcessHeap () returned 0xbc0000 [0066.748] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.748] GetProcessHeap () returned 0xbc0000 [0066.748] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.748] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.755] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9132690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.755] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.756] GetProcessHeap () returned 0xbc0000 [0066.756] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.756] GetProcessHeap () returned 0xbc0000 [0066.756] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.756] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.756] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.762] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x916f720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.762] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.762] GetProcessHeap () returned 0xbc0000 [0066.762] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.762] GetProcessHeap () returned 0xbc0000 [0066.762] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.762] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.762] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91ac7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.779] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.779] GetProcessHeap () returned 0xbc0000 [0066.779] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.779] GetProcessHeap () returned 0xbc0000 [0066.779] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.779] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.779] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x91e9840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.795] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.796] GetProcessHeap () returned 0xbc0000 [0066.796] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.796] GetProcessHeap () returned 0xbc0000 [0066.796] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.796] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.796] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.803] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92268d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.804] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.804] GetProcessHeap () returned 0xbc0000 [0066.804] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.804] GetProcessHeap () returned 0xbc0000 [0066.804] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.804] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.804] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.810] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9263960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.810] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.811] GetProcessHeap () returned 0xbc0000 [0066.811] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.811] GetProcessHeap () returned 0xbc0000 [0066.811] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.811] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.818] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92a09f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.818] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.819] GetProcessHeap () returned 0xbc0000 [0066.819] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.819] GetProcessHeap () returned 0xbc0000 [0066.819] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.819] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.819] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.841] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x92dda80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.841] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.841] GetProcessHeap () returned 0xbc0000 [0066.841] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.841] GetProcessHeap () returned 0xbc0000 [0066.841] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.841] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.841] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.856] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x931ab10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.856] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.857] GetProcessHeap () returned 0xbc0000 [0066.857] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.857] GetProcessHeap () returned 0xbc0000 [0066.857] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.857] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.857] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.872] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9357ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.872] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.872] GetProcessHeap () returned 0xbc0000 [0066.872] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.872] GetProcessHeap () returned 0xbc0000 [0066.872] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.872] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.872] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9394c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.880] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.880] GetProcessHeap () returned 0xbc0000 [0066.880] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.880] GetProcessHeap () returned 0xbc0000 [0066.880] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.880] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.896] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x93d1cc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.896] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.896] GetProcessHeap () returned 0xbc0000 [0066.896] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.896] GetProcessHeap () returned 0xbc0000 [0066.896] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.896] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.896] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.978] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x940ed50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.978] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.979] GetProcessHeap () returned 0xbc0000 [0066.979] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.979] GetProcessHeap () returned 0xbc0000 [0066.979] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.979] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.979] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.986] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x944bde0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.986] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.986] GetProcessHeap () returned 0xbc0000 [0066.986] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.986] GetProcessHeap () returned 0xbc0000 [0066.986] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.986] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.986] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0066.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9488e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.994] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0066.994] GetProcessHeap () returned 0xbc0000 [0066.994] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0066.995] GetProcessHeap () returned 0xbc0000 [0066.995] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0066.995] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0066.995] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.047] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x94c5f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.047] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.048] GetProcessHeap () returned 0xbc0000 [0067.048] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.048] GetProcessHeap () returned 0xbc0000 [0067.048] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.048] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.048] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.063] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9502f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.063] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.063] GetProcessHeap () returned 0xbc0000 [0067.063] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.063] GetProcessHeap () returned 0xbc0000 [0067.063] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.063] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.063] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.071] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9540020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.071] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.071] GetProcessHeap () returned 0xbc0000 [0067.071] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.071] GetProcessHeap () returned 0xbc0000 [0067.071] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.071] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.071] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.078] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x957d0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.078] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.079] GetProcessHeap () returned 0xbc0000 [0067.079] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.079] GetProcessHeap () returned 0xbc0000 [0067.079] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.079] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.079] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.086] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95ba140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.086] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.087] GetProcessHeap () returned 0xbc0000 [0067.087] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.087] GetProcessHeap () returned 0xbc0000 [0067.087] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.087] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.087] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.108] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x95f71d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.108] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.109] GetProcessHeap () returned 0xbc0000 [0067.109] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.109] GetProcessHeap () returned 0xbc0000 [0067.109] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.109] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.109] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.116] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9634260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.116] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.116] GetProcessHeap () returned 0xbc0000 [0067.116] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.116] GetProcessHeap () returned 0xbc0000 [0067.116] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.116] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.116] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.123] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96712f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.123] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.124] GetProcessHeap () returned 0xbc0000 [0067.124] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.124] GetProcessHeap () returned 0xbc0000 [0067.124] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.124] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.124] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.131] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96ae380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.131] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.132] GetProcessHeap () returned 0xbc0000 [0067.132] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.132] GetProcessHeap () returned 0xbc0000 [0067.132] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.132] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.132] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.146] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x96eb410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.146] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.147] GetProcessHeap () returned 0xbc0000 [0067.147] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.147] GetProcessHeap () returned 0xbc0000 [0067.147] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.147] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.148] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97284a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.155] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.155] GetProcessHeap () returned 0xbc0000 [0067.155] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.155] GetProcessHeap () returned 0xbc0000 [0067.155] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.155] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.155] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.162] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9765530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.162] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.163] GetProcessHeap () returned 0xbc0000 [0067.163] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.163] GetProcessHeap () returned 0xbc0000 [0067.163] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.163] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.163] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.169] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97a25c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.169] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.170] GetProcessHeap () returned 0xbc0000 [0067.170] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.170] GetProcessHeap () returned 0xbc0000 [0067.170] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.170] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.170] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97df650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.179] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.179] GetProcessHeap () returned 0xbc0000 [0067.179] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.179] GetProcessHeap () returned 0xbc0000 [0067.179] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.179] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.202] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x981c6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.202] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.203] GetProcessHeap () returned 0xbc0000 [0067.203] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.203] GetProcessHeap () returned 0xbc0000 [0067.203] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.203] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.203] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.373] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9859770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.373] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.374] GetProcessHeap () returned 0xbc0000 [0067.374] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.374] GetProcessHeap () returned 0xbc0000 [0067.374] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.374] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.374] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.381] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9896800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.382] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.382] GetProcessHeap () returned 0xbc0000 [0067.382] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.382] GetProcessHeap () returned 0xbc0000 [0067.382] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.382] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.382] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.403] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98d3890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.403] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.404] GetProcessHeap () returned 0xbc0000 [0067.404] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.405] GetProcessHeap () returned 0xbc0000 [0067.405] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.405] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.405] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.437] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9910920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.437] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.438] GetProcessHeap () returned 0xbc0000 [0067.438] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.438] GetProcessHeap () returned 0xbc0000 [0067.439] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.439] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.449] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x994d9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.449] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.449] GetProcessHeap () returned 0xbc0000 [0067.449] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.449] GetProcessHeap () returned 0xbc0000 [0067.449] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.449] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.450] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.456] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x998aa40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.468] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.469] GetProcessHeap () returned 0xbc0000 [0067.469] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.469] GetProcessHeap () returned 0xbc0000 [0067.469] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.469] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.469] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.476] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99c7ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.476] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.476] GetProcessHeap () returned 0xbc0000 [0067.476] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.476] GetProcessHeap () returned 0xbc0000 [0067.476] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.477] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.477] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a04b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.492] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.492] GetProcessHeap () returned 0xbc0000 [0067.492] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.492] GetProcessHeap () returned 0xbc0000 [0067.492] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.492] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.499] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a41bf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.499] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.500] GetProcessHeap () returned 0xbc0000 [0067.500] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.500] GetProcessHeap () returned 0xbc0000 [0067.500] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.500] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.500] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.507] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9a7ec80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.507] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.508] GetProcessHeap () returned 0xbc0000 [0067.508] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.508] GetProcessHeap () returned 0xbc0000 [0067.508] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.508] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.508] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.516] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9abbd10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.516] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.516] GetProcessHeap () returned 0xbc0000 [0067.516] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.517] GetProcessHeap () returned 0xbc0000 [0067.517] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.517] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.517] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.539] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9af8da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.539] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.540] GetProcessHeap () returned 0xbc0000 [0067.540] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.540] GetProcessHeap () returned 0xbc0000 [0067.540] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.541] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.541] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b35e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.548] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.548] GetProcessHeap () returned 0xbc0000 [0067.548] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.548] GetProcessHeap () returned 0xbc0000 [0067.548] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.548] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.554] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9b72ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.554] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.555] GetProcessHeap () returned 0xbc0000 [0067.555] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.555] GetProcessHeap () returned 0xbc0000 [0067.555] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.555] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.555] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.566] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9baff50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.566] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.567] GetProcessHeap () returned 0xbc0000 [0067.567] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.567] GetProcessHeap () returned 0xbc0000 [0067.567] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.567] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.567] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.585] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9becfe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.585] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.586] GetProcessHeap () returned 0xbc0000 [0067.586] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.586] GetProcessHeap () returned 0xbc0000 [0067.586] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.586] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.586] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.593] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c2a070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.593] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.594] GetProcessHeap () returned 0xbc0000 [0067.594] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.594] GetProcessHeap () returned 0xbc0000 [0067.594] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.594] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.594] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.601] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9c67100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.601] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.602] GetProcessHeap () returned 0xbc0000 [0067.602] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.602] GetProcessHeap () returned 0xbc0000 [0067.602] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.602] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.602] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ca4190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.650] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.651] GetProcessHeap () returned 0xbc0000 [0067.651] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.651] GetProcessHeap () returned 0xbc0000 [0067.651] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.651] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.658] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ce1220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.658] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.658] GetProcessHeap () returned 0xbc0000 [0067.658] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.659] GetProcessHeap () returned 0xbc0000 [0067.659] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.659] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d1e2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.743] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.743] GetProcessHeap () returned 0xbc0000 [0067.743] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.743] GetProcessHeap () returned 0xbc0000 [0067.743] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.743] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.743] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.750] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d5b340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.750] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.751] GetProcessHeap () returned 0xbc0000 [0067.751] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.751] GetProcessHeap () returned 0xbc0000 [0067.751] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.751] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.751] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.798] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9d983d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.798] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.799] GetProcessHeap () returned 0xbc0000 [0067.799] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.799] GetProcessHeap () returned 0xbc0000 [0067.799] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.799] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.799] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.806] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9dd5460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.806] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.807] GetProcessHeap () returned 0xbc0000 [0067.807] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.807] GetProcessHeap () returned 0xbc0000 [0067.807] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.807] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.807] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.868] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e124f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.868] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.869] GetProcessHeap () returned 0xbc0000 [0067.869] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.869] GetProcessHeap () returned 0xbc0000 [0067.869] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.869] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.876] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e4f580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.876] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.877] GetProcessHeap () returned 0xbc0000 [0067.877] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.877] GetProcessHeap () returned 0xbc0000 [0067.877] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.877] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.877] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9e8c610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.884] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.884] GetProcessHeap () returned 0xbc0000 [0067.884] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.884] GetProcessHeap () returned 0xbc0000 [0067.884] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.884] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.965] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ec96a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.965] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.965] GetProcessHeap () returned 0xbc0000 [0067.965] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.965] GetProcessHeap () returned 0xbc0000 [0067.965] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.965] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.965] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0067.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f06730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.977] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0067.977] GetProcessHeap () returned 0xbc0000 [0067.977] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0067.977] GetProcessHeap () returned 0xbc0000 [0067.977] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0067.977] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0067.977] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.319] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f437c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.319] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.320] GetProcessHeap () returned 0xbc0000 [0068.320] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.320] GetProcessHeap () returned 0xbc0000 [0068.320] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.320] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.320] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.327] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9f80850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.327] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.328] GetProcessHeap () returned 0xbc0000 [0068.328] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.328] GetProcessHeap () returned 0xbc0000 [0068.328] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.328] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.328] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.334] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9fbd8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.334] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.336] GetProcessHeap () returned 0xbc0000 [0068.336] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.336] GetProcessHeap () returned 0xbc0000 [0068.336] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.336] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.336] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.389] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x9ffa970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.389] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.390] GetProcessHeap () returned 0xbc0000 [0068.390] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.390] GetProcessHeap () returned 0xbc0000 [0068.390] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.390] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.390] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.430] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa037a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.430] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.431] GetProcessHeap () returned 0xbc0000 [0068.431] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.431] GetProcessHeap () returned 0xbc0000 [0068.431] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.431] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.431] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.438] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa074a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.438] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.438] GetProcessHeap () returned 0xbc0000 [0068.438] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.439] GetProcessHeap () returned 0xbc0000 [0068.439] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.439] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.439] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.446] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0b1b20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.446] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.447] GetProcessHeap () returned 0xbc0000 [0068.447] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.447] GetProcessHeap () returned 0xbc0000 [0068.447] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.447] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.447] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.460] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa0eebb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.460] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.461] GetProcessHeap () returned 0xbc0000 [0068.461] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.461] GetProcessHeap () returned 0xbc0000 [0068.461] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.461] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa12bc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.461] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.468] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa12bc40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.468] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.468] GetProcessHeap () returned 0xbc0000 [0068.469] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.469] GetProcessHeap () returned 0xbc0000 [0068.469] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.469] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa168cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.469] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa168cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.478] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.478] GetProcessHeap () returned 0xbc0000 [0068.478] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.478] GetProcessHeap () returned 0xbc0000 [0068.478] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.478] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1a5d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.478] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.525] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1a5d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.525] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.526] GetProcessHeap () returned 0xbc0000 [0068.526] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.526] GetProcessHeap () returned 0xbc0000 [0068.526] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.526] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1e2df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.526] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.538] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa1e2df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.538] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.539] GetProcessHeap () returned 0xbc0000 [0068.539] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.539] GetProcessHeap () returned 0xbc0000 [0068.539] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.539] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa21fe80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.540] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.630] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa21fe80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.630] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.630] GetProcessHeap () returned 0xbc0000 [0068.630] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.630] GetProcessHeap () returned 0xbc0000 [0068.630] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.630] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa25cf10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.630] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.655] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa25cf10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.655] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.655] GetProcessHeap () returned 0xbc0000 [0068.655] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.655] GetProcessHeap () returned 0xbc0000 [0068.655] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.655] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa299fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.655] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.663] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa299fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.663] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.664] GetProcessHeap () returned 0xbc0000 [0068.664] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.664] GetProcessHeap () returned 0xbc0000 [0068.664] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.664] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa2d7030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.664] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa2d7030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.671] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.671] GetProcessHeap () returned 0xbc0000 [0068.671] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.671] GetProcessHeap () returned 0xbc0000 [0068.671] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.671] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3140c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.671] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3140c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.833] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.834] GetProcessHeap () returned 0xbc0000 [0068.834] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.834] GetProcessHeap () returned 0xbc0000 [0068.834] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.834] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa351150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.868] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa351150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.878] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.878] GetProcessHeap () returned 0xbc0000 [0068.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.878] GetProcessHeap () returned 0xbc0000 [0068.878] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa38e1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.878] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa38e1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.885] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.886] GetProcessHeap () returned 0xbc0000 [0068.886] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.886] GetProcessHeap () returned 0xbc0000 [0068.886] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.886] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3cb270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.886] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.893] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa3cb270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.893] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.893] GetProcessHeap () returned 0xbc0000 [0068.893] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.893] GetProcessHeap () returned 0xbc0000 [0068.894] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.894] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa408300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.894] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.914] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa408300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.914] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.916] GetProcessHeap () returned 0xbc0000 [0068.916] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.916] GetProcessHeap () returned 0xbc0000 [0068.916] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.916] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa445390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.918] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa445390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.924] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.924] GetProcessHeap () returned 0xbc0000 [0068.924] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.924] GetProcessHeap () returned 0xbc0000 [0068.924] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa482420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.925] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.939] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa482420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.939] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.939] GetProcessHeap () returned 0xbc0000 [0068.939] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.939] GetProcessHeap () returned 0xbc0000 [0068.939] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.939] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4bf4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.939] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0068.988] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4bf4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.988] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0068.988] GetProcessHeap () returned 0xbc0000 [0068.988] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0068.988] GetProcessHeap () returned 0xbc0000 [0068.988] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0068.988] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4fc540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0068.988] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.009] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa4fc540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.009] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.010] GetProcessHeap () returned 0xbc0000 [0069.010] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.010] GetProcessHeap () returned 0xbc0000 [0069.010] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.010] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5395d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.010] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5395d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.019] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.019] GetProcessHeap () returned 0xbc0000 [0069.019] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.019] GetProcessHeap () returned 0xbc0000 [0069.019] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.019] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa576660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.019] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.026] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa576660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.027] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.027] GetProcessHeap () returned 0xbc0000 [0069.027] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.027] GetProcessHeap () returned 0xbc0000 [0069.027] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.027] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5b36f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.027] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.036] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5b36f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.036] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.036] GetProcessHeap () returned 0xbc0000 [0069.036] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.036] GetProcessHeap () returned 0xbc0000 [0069.036] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.036] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5f0780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.036] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.052] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa5f0780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.052] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.054] GetProcessHeap () returned 0xbc0000 [0069.054] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.054] GetProcessHeap () returned 0xbc0000 [0069.054] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.054] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa62d810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.054] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.081] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa62d810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.081] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.081] GetProcessHeap () returned 0xbc0000 [0069.081] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.082] GetProcessHeap () returned 0xbc0000 [0069.082] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa66a8a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.082] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa66a8a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.149] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.149] GetProcessHeap () returned 0xbc0000 [0069.149] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.149] GetProcessHeap () returned 0xbc0000 [0069.149] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.149] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6a7930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.149] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.155] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6a7930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.155] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.156] GetProcessHeap () returned 0xbc0000 [0069.156] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.156] GetProcessHeap () returned 0xbc0000 [0069.156] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.156] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6e49c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.156] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.174] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa6e49c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.174] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.175] GetProcessHeap () returned 0xbc0000 [0069.175] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.175] GetProcessHeap () returned 0xbc0000 [0069.175] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.175] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa721a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.175] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.264] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa721a50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.264] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.264] GetProcessHeap () returned 0xbc0000 [0069.264] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.264] GetProcessHeap () returned 0xbc0000 [0069.265] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa75eae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.265] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa75eae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.272] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.272] GetProcessHeap () returned 0xbc0000 [0069.272] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.272] GetProcessHeap () returned 0xbc0000 [0069.272] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa79bb70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.272] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.278] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa79bb70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.278] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.278] GetProcessHeap () returned 0xbc0000 [0069.279] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.279] GetProcessHeap () returned 0xbc0000 [0069.279] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.279] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.279] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa7d8c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.323] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.324] GetProcessHeap () returned 0xbc0000 [0069.324] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.324] GetProcessHeap () returned 0xbc0000 [0069.324] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa815c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.324] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.347] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa815c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.347] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.348] GetProcessHeap () returned 0xbc0000 [0069.348] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.348] GetProcessHeap () returned 0xbc0000 [0069.348] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.348] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa852d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.348] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa852d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.368] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.368] GetProcessHeap () returned 0xbc0000 [0069.368] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.368] GetProcessHeap () returned 0xbc0000 [0069.368] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.368] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa88fdb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.368] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.409] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa88fdb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.410] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.410] GetProcessHeap () returned 0xbc0000 [0069.410] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.410] GetProcessHeap () returned 0xbc0000 [0069.410] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.410] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa8cce40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.410] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.417] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa8cce40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.417] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.418] GetProcessHeap () returned 0xbc0000 [0069.418] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.418] GetProcessHeap () returned 0xbc0000 [0069.418] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.418] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa909ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.418] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.429] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa909ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.429] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.430] GetProcessHeap () returned 0xbc0000 [0069.430] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.430] GetProcessHeap () returned 0xbc0000 [0069.430] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.430] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa946f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.430] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa946f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.448] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.448] GetProcessHeap () returned 0xbc0000 [0069.448] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.448] GetProcessHeap () returned 0xbc0000 [0069.448] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.448] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa983ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.449] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.464] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa983ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.464] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.465] GetProcessHeap () returned 0xbc0000 [0069.465] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.465] GetProcessHeap () returned 0xbc0000 [0069.465] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9c1080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.465] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.471] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9c1080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.471] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.471] GetProcessHeap () returned 0xbc0000 [0069.471] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.471] GetProcessHeap () returned 0xbc0000 [0069.471] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.471] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9fe110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.471] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.544] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa9fe110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.544] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.545] GetProcessHeap () returned 0xbc0000 [0069.545] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.545] GetProcessHeap () returned 0xbc0000 [0069.545] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.545] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa3b1a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.545] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.551] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa3b1a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.551] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.551] GetProcessHeap () returned 0xbc0000 [0069.551] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.551] GetProcessHeap () returned 0xbc0000 [0069.551] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.551] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa78230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.551] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.563] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaa78230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.563] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.564] GetProcessHeap () returned 0xbc0000 [0069.564] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.564] GetProcessHeap () returned 0xbc0000 [0069.564] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaab52c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.564] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.578] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaab52c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.578] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.579] GetProcessHeap () returned 0xbc0000 [0069.579] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.579] GetProcessHeap () returned 0xbc0000 [0069.579] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.579] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaaf2350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.579] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.612] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaaf2350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.612] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.613] GetProcessHeap () returned 0xbc0000 [0069.613] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.613] GetProcessHeap () returned 0xbc0000 [0069.613] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab2f3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.613] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.621] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab2f3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.621] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.621] GetProcessHeap () returned 0xbc0000 [0069.621] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.622] GetProcessHeap () returned 0xbc0000 [0069.622] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.622] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab6c470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.622] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.627] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xab6c470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.627] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.628] GetProcessHeap () returned 0xbc0000 [0069.628] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.628] GetProcessHeap () returned 0xbc0000 [0069.628] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.628] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba9500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.628] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xaba9500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.643] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.643] GetProcessHeap () returned 0xbc0000 [0069.643] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.643] GetProcessHeap () returned 0xbc0000 [0069.643] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xabe6590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.643] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.696] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xabe6590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.696] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.697] GetProcessHeap () returned 0xbc0000 [0069.697] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.697] GetProcessHeap () returned 0xbc0000 [0069.697] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.697] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac23620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.697] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac23620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.704] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.704] GetProcessHeap () returned 0xbc0000 [0069.704] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.704] GetProcessHeap () returned 0xbc0000 [0069.704] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.704] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac606b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.704] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.710] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac606b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.710] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.711] GetProcessHeap () returned 0xbc0000 [0069.711] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.711] GetProcessHeap () returned 0xbc0000 [0069.711] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbeb608 [0069.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac9d740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.711] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x1e848, lpOverlapped=0x0) returned 1 [0069.721] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xac9d740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0069.721] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x1e848, lpOverlapped=0x0) returned 1 [0069.721] GetProcessHeap () returned 0xbc0000 [0069.721] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0069.721] CloseHandle (hObject=0x260) returned 1 [0070.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0070.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0070.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0070.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0070.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0070.307] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Core.mzz.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\netfx_core.mzz.nefilim")) returned 1 [0070.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0070.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0070.399] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xc183da00, ftCreationTime.dwHighDateTime=0x1cac6e3, ftLastAccessTime.dwLowDateTime=0xc183da00, ftLastAccessTime.dwHighDateTime=0x1cac6e3, ftLastWriteTime.dwLowDateTime=0xc183da00, ftLastWriteTime.dwHighDateTime=0x1cac6e3, nFileSizeHigh=0x0, nFileSizeLow=0x1d0200, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Core_x64.msi", cAlternateFileName="NETFX_~1.MSI")) returned 1 [0070.399] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2=".") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="..") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="...") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="windows") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="rsa") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="NTDETECT.COM") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="ntldr") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="MSDOS.SYS") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="IO.SYS") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="boot.ini") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="ntuser.dat") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="desktop.ini") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="CONFIG.SYS") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="RECYCLER") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="bootmgr") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="programdata") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="appdata") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="program files") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="program files (x86)") returned -1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="microsoft") returned 1 [0070.400] lstrcmpiW (lpString1="netfx_Core_x64.msi", lpString2="sophos") returned -1 [0070.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681388 [0070.400] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0070.400] PathFindExtensionW (pszPath="netfx_Core_x64.msi") returned=".msi" [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0070.400] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0070.401] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4c130c00, ftCreationTime.dwHighDateTime=0x1cac6d9, ftLastAccessTime.dwLowDateTime=0x4c130c00, ftLastAccessTime.dwHighDateTime=0x1cac6d9, ftLastWriteTime.dwLowDateTime=0x4c130c00, ftLastWriteTime.dwHighDateTime=0x1cac6d9, nFileSizeHigh=0x0, nFileSizeLow=0x11c000, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Core_x86.msi", cAlternateFileName="NETFX_~2.MSI")) returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2=".") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="..") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="...") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="windows") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="rsa") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="NTDETECT.COM") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="ntldr") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="MSDOS.SYS") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="IO.SYS") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="boot.ini") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="ntuser.dat") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="desktop.ini") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="CONFIG.SYS") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="RECYCLER") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="bootmgr") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="programdata") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="appdata") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="program files") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="program files (x86)") returned -1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="microsoft") returned 1 [0070.401] lstrcmpiW (lpString1="netfx_Core_x86.msi", lpString2="sophos") returned -1 [0070.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813f0 [0070.401] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0070.401] PathFindExtensionW (pszPath="netfx_Core_x86.msi") returned=".msi" [0070.401] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0070.402] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0070.402] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf74cd515, ftCreationTime.dwHighDateTime=0x1d327bd, ftLastAccessTime.dwLowDateTime=0xf74cd515, ftLastAccessTime.dwHighDateTime=0x1d327bd, ftLastWriteTime.dwLowDateTime=0xf7cd9415, ftLastWriteTime.dwHighDateTime=0x1d327bd, nFileSizeHigh=0x0, nFileSizeLow=0x29222c7, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Extended.mzz", cAlternateFileName="NETFX_~2.MZZ")) returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2=".") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="..") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="...") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="windows") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="$RECYCLE.BIN") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="rsa") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="NTDETECT.COM") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="ntldr") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="MSDOS.SYS") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="IO.SYS") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="boot.ini") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="AUTOEXEC.BAT") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="ntuser.dat") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="desktop.ini") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="CONFIG.SYS") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="RECYCLER") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="BOOTSECT.BAK") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="bootmgr") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="programdata") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="appdata") returned 1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="program files") returned -1 [0070.402] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="program files (x86)") returned -1 [0070.403] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="microsoft") returned 1 [0070.403] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="sophos") returned -1 [0070.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681330 [0070.403] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f0 | out: hHeap=0x2680000) returned 1 [0070.403] PathFindExtensionW (pszPath="netfx_Extended.mzz") returned=".mzz" [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".exe") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".log") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".cab") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".cmd") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".com") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".cpl") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".ini") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".dll") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".url") returned -1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".ttf") returned -1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".mp3") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".pif") returned -1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".mp4") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".NEFILIM") returned -1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".msi") returned 1 [0070.403] lstrcmpiW (lpString1=".mzz", lpString2=".lnk") returned 1 [0070.403] lstrcmpiW (lpString1="netfx_Extended.mzz", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0070.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681398 [0070.403] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0070.404] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=43131591) returned 1 [0070.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681400 [0070.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681418 [0070.404] SystemFunction036 (in: RandomBuffer=0x2681400, RandomBufferLength=0x10 | out: RandomBuffer=0x2681400) returned 1 [0070.404] SystemFunction036 (in: RandomBuffer=0x2681418, RandomBufferLength=0x10 | out: RandomBuffer=0x2681418) returned 1 [0070.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681430 [0070.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0070.404] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681430*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681430*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0070.406] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0070.408] GetTickCount () returned 0x1152f2a [0070.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0070.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0070.408] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29222c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.408] SetLastError (dwErrCode=0x0) [0070.408] WriteFile (in: hFile=0x260, lpBuffer=0x2681430*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681430*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0070.865] GetLastError () returned 0x0 [0070.865] GetLastError () returned 0x0 [0070.865] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29223c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.866] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0070.866] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x29224c7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.866] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x253bf7f3, dwHighDateTime=0x1d5f971)) [0070.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0070.866] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0070.866] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0070.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c1020 [0070.868] GetCurrentProcess () returned 0xffffffff [0070.868] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.868] ReadFile (in: hFile=0x260, lpBuffer=0x25c1020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c1020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0070.919] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0070.919] WriteFile (in: hFile=0x260, lpBuffer=0x25c1020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c1020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0070.920] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c1020 | out: hHeap=0x2680000) returned 1 [0070.923] CloseHandle (hObject=0x260) returned 1 [0071.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681430 | out: hHeap=0x2680000) returned 1 [0071.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681400 | out: hHeap=0x2680000) returned 1 [0071.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681418 | out: hHeap=0x2680000) returned 1 [0071.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681400 [0071.394] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz"), lpNewFileName="C:\\588bce7c90097ed212\\netfx_Extended.mzz.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\netfx_extended.mzz.nefilim")) returned 1 [0071.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681400 | out: hHeap=0x2680000) returned 1 [0071.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0071.397] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2dbe0800, ftCreationTime.dwHighDateTime=0x1cac6fb, ftLastAccessTime.dwLowDateTime=0x2dbe0800, ftLastAccessTime.dwHighDateTime=0x1cac6fb, ftLastWriteTime.dwLowDateTime=0x2dbe0800, ftLastWriteTime.dwHighDateTime=0x1cac6fb, nFileSizeHigh=0x0, nFileSizeLow=0xd5000, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Extended_x64.msi", cAlternateFileName="NETFX_~3.MSI")) returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2=".") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="..") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="...") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="windows") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="rsa") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="NTDETECT.COM") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="ntldr") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="MSDOS.SYS") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="IO.SYS") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="boot.ini") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="ntuser.dat") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="desktop.ini") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="CONFIG.SYS") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="RECYCLER") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="bootmgr") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="programdata") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="appdata") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="program files") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="program files (x86)") returned -1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="microsoft") returned 1 [0071.397] lstrcmpiW (lpString1="netfx_Extended_x64.msi", lpString2="sophos") returned -1 [0071.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681398 [0071.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.397] PathFindExtensionW (pszPath="netfx_Extended_x64.msi") returned=".msi" [0071.397] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0071.397] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0071.398] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0071.398] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x7626f700, ftCreationTime.dwHighDateTime=0x1cac6f6, ftLastAccessTime.dwLowDateTime=0x7626f700, ftLastAccessTime.dwHighDateTime=0x1cac6f6, ftLastWriteTime.dwLowDateTime=0x7626f700, ftLastWriteTime.dwHighDateTime=0x1cac6f6, nFileSizeHigh=0x0, nFileSizeLow=0x79000, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="netfx_Extended_x86.msi", cAlternateFileName="NETFX_~4.MSI")) returned 1 [0071.401] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2=".") returned 1 [0071.401] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="..") returned 1 [0071.401] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="...") returned 1 [0071.401] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="windows") returned -1 [0071.401] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="rsa") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="NTDETECT.COM") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="ntldr") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="MSDOS.SYS") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="IO.SYS") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="boot.ini") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="ntuser.dat") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="desktop.ini") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="CONFIG.SYS") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="RECYCLER") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="bootmgr") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="programdata") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="appdata") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="program files") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="program files (x86)") returned -1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="microsoft") returned 1 [0071.402] lstrcmpiW (lpString1="netfx_Extended_x86.msi", lpString2="sophos") returned -1 [0071.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681330 [0071.402] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0071.402] PathFindExtensionW (pszPath="netfx_Extended_x86.msi") returned=".msi" [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0071.402] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0071.403] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0071.403] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0071.403] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x4a0f7400, ftCreationTime.dwHighDateTime=0x1cac6fe, ftLastAccessTime.dwLowDateTime=0x4a0f7400, ftLastAccessTime.dwHighDateTime=0x1cac6fe, ftLastWriteTime.dwLowDateTime=0x4a0f7400, ftLastWriteTime.dwHighDateTime=0x1cac6fe, nFileSizeHigh=0x0, nFileSizeLow=0x426ae, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="ParameterInfo.xml", cAlternateFileName="PARAME~1.XML")) returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2=".") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="..") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="...") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="windows") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="rsa") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="NTDETECT.COM") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="ntldr") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="MSDOS.SYS") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="IO.SYS") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="boot.ini") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="ntuser.dat") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="desktop.ini") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="CONFIG.SYS") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="RECYCLER") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="bootmgr") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="programdata") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="appdata") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="program files") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="program files (x86)") returned -1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="microsoft") returned 1 [0071.403] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="sophos") returned -1 [0071.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681398 [0071.403] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.403] PathFindExtensionW (pszPath="ParameterInfo.xml") returned=".xml" [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0071.403] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0071.404] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0071.404] lstrcmpiW (lpString1="ParameterInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.404] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.407] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=272046) returned 1 [0071.407] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f0 [0071.407] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681408 [0071.407] SystemFunction036 (in: RandomBuffer=0x26813f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f0) returned 1 [0071.407] SystemFunction036 (in: RandomBuffer=0x2681408, RandomBufferLength=0x10 | out: RandomBuffer=0x2681408) returned 1 [0071.407] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681420 [0071.407] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.407] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681420*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681420*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.409] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.411] GetTickCount () returned 0x1153312 [0071.411] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.411] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.411] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x426ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.411] SetLastError (dwErrCode=0x0) [0071.411] WriteFile (in: hFile=0x260, lpBuffer=0x2681420*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681420*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.414] GetLastError () returned 0x0 [0071.414] GetLastError () returned 0x0 [0071.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x427ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.414] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.414] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x428ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x258f6aa8, dwHighDateTime=0x1d5f971)) [0071.414] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.414] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.414] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.414] GetProcessHeap () returned 0xbc0000 [0071.414] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x426ae) returned 0xbeb608 [0071.415] GetSystemDefaultLangID () returned 0xbd0409 [0071.415] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.415] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x426ae, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x426ae, lpOverlapped=0x0) returned 1 [0071.432] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.432] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x426ae, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x426ae, lpOverlapped=0x0) returned 1 [0071.433] GetProcessHeap () returned 0xbc0000 [0071.433] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.433] CloseHandle (hObject=0x260) returned 1 [0071.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0071.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f0 | out: hHeap=0x2680000) returned 1 [0071.438] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681408 | out: hHeap=0x2680000) returned 1 [0071.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813f0 [0071.438] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\ParameterInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\parameterinfo.xml.nefilim")) returned 1 [0071.439] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f0 | out: hHeap=0x2680000) returned 1 [0071.439] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.439] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x19dedd00, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x19dedd00, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x19dedd00, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x2d200, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="RGB9RAST_x64.msi", cAlternateFileName="RGB9RA~1.MSI")) returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2=".") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="..") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="...") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="windows") returned -1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="rsa") returned -1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="NTDETECT.COM") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="ntldr") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="MSDOS.SYS") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="IO.SYS") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="boot.ini") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="ntuser.dat") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="desktop.ini") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="CONFIG.SYS") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="RECYCLER") returned 1 [0071.439] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="bootmgr") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="programdata") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="appdata") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="program files") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="program files (x86)") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="microsoft") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9RAST_x64.msi", lpString2="sophos") returned -1 [0071.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.440] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681398 | out: hHeap=0x2680000) returned 1 [0071.440] PathFindExtensionW (pszPath="RGB9RAST_x64.msi") returned=".msi" [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0071.440] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0071.440] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x177c8300, ftCreationTime.dwHighDateTime=0x1ca2a1b, ftLastAccessTime.dwLowDateTime=0x177c8300, ftLastAccessTime.dwHighDateTime=0x1ca2a1b, ftLastWriteTime.dwLowDateTime=0x177c8300, ftLastWriteTime.dwHighDateTime=0x1ca2a1b, nFileSizeHigh=0x0, nFileSizeLow=0x17200, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="RGB9Rast_x86.msi", cAlternateFileName="RGB9RA~2.MSI")) returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2=".") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="..") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="...") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="windows") returned -1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="rsa") returned -1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="NTDETECT.COM") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="ntldr") returned 1 [0071.440] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="MSDOS.SYS") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="IO.SYS") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="boot.ini") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="ntuser.dat") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="desktop.ini") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="CONFIG.SYS") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="RECYCLER") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="bootmgr") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="programdata") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="appdata") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="program files") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="program files (x86)") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="microsoft") returned 1 [0071.441] lstrcmpiW (lpString1="RGB9Rast_x86.msi", lpString2="sophos") returned -1 [0071.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.441] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.441] PathFindExtensionW (pszPath="RGB9Rast_x86.msi") returned=".msi" [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0071.441] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0071.441] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x13148, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Setup.exe", cAlternateFileName="")) returned 1 [0071.441] lstrcmpiW (lpString1="Setup.exe", lpString2=".") returned 1 [0071.441] lstrcmpiW (lpString1="Setup.exe", lpString2="..") returned 1 [0071.441] lstrcmpiW (lpString1="Setup.exe", lpString2="...") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="windows") returned -1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="$RECYCLE.BIN") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="rsa") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="NTDETECT.COM") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="ntldr") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="MSDOS.SYS") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="IO.SYS") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="boot.ini") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="AUTOEXEC.BAT") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="ntuser.dat") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="desktop.ini") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="CONFIG.SYS") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="RECYCLER") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="BOOTSECT.BAK") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="bootmgr") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="programdata") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="appdata") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="program files") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="program files (x86)") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="microsoft") returned 1 [0071.442] lstrcmpiW (lpString1="Setup.exe", lpString2="sophos") returned -1 [0071.442] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0071.442] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.442] PathFindExtensionW (pszPath="Setup.exe") returned=".exe" [0071.442] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0071.442] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0xc5158, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="SetupEngine.dll", cAlternateFileName="SETUPE~1.DLL")) returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2=".") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="..") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="...") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="windows") returned -1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="$RECYCLE.BIN") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="rsa") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="NTDETECT.COM") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="ntldr") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="MSDOS.SYS") returned 1 [0071.442] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="IO.SYS") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="boot.ini") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="AUTOEXEC.BAT") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="ntuser.dat") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="desktop.ini") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="CONFIG.SYS") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="RECYCLER") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="BOOTSECT.BAK") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="bootmgr") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="programdata") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="appdata") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="program files") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="program files (x86)") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="microsoft") returned 1 [0071.443] lstrcmpiW (lpString1="SetupEngine.dll", lpString2="sophos") returned -1 [0071.443] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681378 [0071.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.443] PathFindExtensionW (pszPath="SetupEngine.dll") returned=".dll" [0071.443] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0071.458] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0071.458] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xe40ff600, ftCreationTime.dwHighDateTime=0x1cac6d7, ftLastAccessTime.dwLowDateTime=0xe40ff600, ftLastAccessTime.dwHighDateTime=0x1cac6d7, ftLastWriteTime.dwLowDateTime=0xe40ff600, ftLastWriteTime.dwHighDateTime=0x1cac6d7, nFileSizeHigh=0x0, nFileSizeLow=0x48150, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="SetupUi.dll", cAlternateFileName="")) returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2=".") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="..") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="...") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="windows") returned -1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="$RECYCLE.BIN") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="rsa") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="NTDETECT.COM") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="ntldr") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="MSDOS.SYS") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="IO.SYS") returned 1 [0071.458] lstrcmpiW (lpString1="SetupUi.dll", lpString2="boot.ini") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="AUTOEXEC.BAT") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="ntuser.dat") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="desktop.ini") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="CONFIG.SYS") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="RECYCLER") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="BOOTSECT.BAK") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="bootmgr") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="programdata") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="appdata") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="program files") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="program files (x86)") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="microsoft") returned 1 [0071.459] lstrcmpiW (lpString1="SetupUi.dll", lpString2="sophos") returned -1 [0071.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26813d0 [0071.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681378 | out: hHeap=0x2680000) returned 1 [0071.459] PathFindExtensionW (pszPath="SetupUi.dll") returned=".dll" [0071.459] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0071.459] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0071.459] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0071.459] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0071.459] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0071.460] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0071.460] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0071.460] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0071.460] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5381000, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x5381000, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x5381000, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x75a8, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="SetupUi.xsd", cAlternateFileName="")) returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2=".") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="..") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="...") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="windows") returned -1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="$RECYCLE.BIN") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="rsa") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="NTDETECT.COM") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="ntldr") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="MSDOS.SYS") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="IO.SYS") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="boot.ini") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="AUTOEXEC.BAT") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="ntuser.dat") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="desktop.ini") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="CONFIG.SYS") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="RECYCLER") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="BOOTSECT.BAK") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="bootmgr") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="programdata") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="appdata") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="program files") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="program files (x86)") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="microsoft") returned 1 [0071.460] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="sophos") returned -1 [0071.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.460] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813d0 | out: hHeap=0x2680000) returned 1 [0071.460] PathFindExtensionW (pszPath="SetupUi.xsd") returned=".xsd" [0071.460] lstrcmpiW (lpString1=".xsd", lpString2=".exe") returned 1 [0071.460] lstrcmpiW (lpString1=".xsd", lpString2=".log") returned 1 [0071.460] lstrcmpiW (lpString1=".xsd", lpString2=".cab") returned 1 [0071.460] lstrcmpiW (lpString1=".xsd", lpString2=".cmd") returned 1 [0071.460] lstrcmpiW (lpString1=".xsd", lpString2=".com") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".cpl") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".ini") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".dll") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".url") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".ttf") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".mp3") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".pif") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".mp4") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".NEFILIM") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".msi") returned 1 [0071.461] lstrcmpiW (lpString1=".xsd", lpString2=".lnk") returned 1 [0071.461] lstrcmpiW (lpString1="SetupUi.xsd", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.461] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.461] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=30120) returned 1 [0071.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0071.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0071.461] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0071.461] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0071.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0071.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.461] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.463] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.465] GetTickCount () returned 0x1153351 [0071.465] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.465] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.465] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x75a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.465] SetLastError (dwErrCode=0x0) [0071.465] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.467] GetLastError () returned 0x0 [0071.467] GetLastError () returned 0x0 [0071.467] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x76a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.467] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.468] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x77a8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.468] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25969295, dwHighDateTime=0x1d5f971)) [0071.468] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.468] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.468] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.468] GetProcessHeap () returned 0xbc0000 [0071.468] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x75a8) returned 0xbeb608 [0071.469] GetSystemDefaultLangID () returned 0xbd0409 [0071.469] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.469] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x75a8, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x75a8, lpOverlapped=0x0) returned 1 [0071.471] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.471] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x75a8, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x75a8, lpOverlapped=0x0) returned 1 [0071.471] GetProcessHeap () returned 0xbc0000 [0071.471] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.471] CloseHandle (hObject=0x260) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0071.473] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0071.473] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SetupUi.xsd" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd"), lpNewFileName="C:\\588bce7c90097ed212\\SetupUi.xsd.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\setupui.xsd.nefilim")) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.473] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.473] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x6519be00, ftCreationTime.dwHighDateTime=0x1cac6d5, ftLastAccessTime.dwLowDateTime=0x6519be00, ftLastAccessTime.dwHighDateTime=0x1cac6d5, ftLastWriteTime.dwLowDateTime=0x6519be00, ftLastWriteTime.dwHighDateTime=0x1cac6d5, nFileSizeHigh=0x0, nFileSizeLow=0x17758, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="SetupUtility.exe", cAlternateFileName="SETUPU~1.EXE")) returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2=".") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="..") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="...") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="windows") returned -1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="$RECYCLE.BIN") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="rsa") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="NTDETECT.COM") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="ntldr") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="MSDOS.SYS") returned 1 [0071.473] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="IO.SYS") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="boot.ini") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="AUTOEXEC.BAT") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="ntuser.dat") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="desktop.ini") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="CONFIG.SYS") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="RECYCLER") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="BOOTSECT.BAK") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="bootmgr") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="programdata") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="appdata") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="program files") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="program files (x86)") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="microsoft") returned 1 [0071.474] lstrcmpiW (lpString1="SetupUtility.exe", lpString2="sophos") returned -1 [0071.474] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.474] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.474] PathFindExtensionW (pszPath="SetupUtility.exe") returned=".exe" [0071.474] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0071.474] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0xa078, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="SplashScreen.bmp", cAlternateFileName="SPLASH~1.BMP")) returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2=".") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="..") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="...") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="windows") returned -1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="$RECYCLE.BIN") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="rsa") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="NTDETECT.COM") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="ntldr") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="MSDOS.SYS") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="IO.SYS") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="boot.ini") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0071.474] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="ntuser.dat") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="desktop.ini") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="CONFIG.SYS") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="RECYCLER") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="BOOTSECT.BAK") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="bootmgr") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="programdata") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="appdata") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="program files") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="program files (x86)") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="microsoft") returned 1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="sophos") returned 1 [0071.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.475] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.475] PathFindExtensionW (pszPath="SplashScreen.bmp") returned=".bmp" [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0071.475] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0071.475] lstrcmpiW (lpString1="SplashScreen.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.475] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.475] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.476] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=41080) returned 1 [0071.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0071.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0071.476] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0071.476] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0071.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0071.476] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.476] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.477] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.479] GetTickCount () returned 0x1153361 [0071.479] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.479] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.479] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa078, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.479] SetLastError (dwErrCode=0x0) [0071.479] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.480] GetLastError () returned 0x0 [0071.480] GetLastError () returned 0x0 [0071.480] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa178, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.480] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.481] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0xa278, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.481] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2598f6fa, dwHighDateTime=0x1d5f971)) [0071.481] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.481] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.481] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.481] GetProcessHeap () returned 0xbc0000 [0071.481] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa078) returned 0xbeb608 [0071.482] GetSystemDefaultLangID () returned 0xbd0409 [0071.482] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.482] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0xa078, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0xa078, lpOverlapped=0x0) returned 1 [0071.484] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.484] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0xa078, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0xa078, lpOverlapped=0x0) returned 1 [0071.485] GetProcessHeap () returned 0xbc0000 [0071.485] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.485] CloseHandle (hObject=0x260) returned 1 [0071.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0071.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0071.513] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0071.513] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\SplashScreen.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\splashscreen.bmp.nefilim")) returned 1 [0071.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.514] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x143bc400, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0x143bc400, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0x143bc400, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x23420, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="sqmapi.dll", cAlternateFileName="")) returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2=".") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="..") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="...") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="windows") returned -1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="rsa") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="NTDETECT.COM") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="ntldr") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="MSDOS.SYS") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="IO.SYS") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="boot.ini") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="AUTOEXEC.BAT") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="ntuser.dat") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="desktop.ini") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="CONFIG.SYS") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="RECYCLER") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="BOOTSECT.BAK") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="bootmgr") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="programdata") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="appdata") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="program files") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="program files (x86)") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="microsoft") returned 1 [0071.514] lstrcmpiW (lpString1="sqmapi.dll", lpString2="sophos") returned 1 [0071.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.514] PathFindExtensionW (pszPath="sqmapi.dll") returned=".dll" [0071.514] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0071.514] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0071.515] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0071.515] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xce333000, ftCreationTime.dwHighDateTime=0x1ca2a28, ftLastAccessTime.dwLowDateTime=0xce333000, ftLastAccessTime.dwHighDateTime=0x1ca2a28, ftLastWriteTime.dwLowDateTime=0xce333000, ftLastWriteTime.dwHighDateTime=0x1ca2a28, nFileSizeHigh=0x0, nFileSizeLow=0x3704, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Strings.xml", cAlternateFileName="")) returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2=".") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="..") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="...") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="windows") returned -1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="$RECYCLE.BIN") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="rsa") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="NTDETECT.COM") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="ntldr") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="MSDOS.SYS") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="IO.SYS") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="boot.ini") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="AUTOEXEC.BAT") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="ntuser.dat") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="desktop.ini") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="CONFIG.SYS") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="RECYCLER") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="BOOTSECT.BAK") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="bootmgr") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="programdata") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="appdata") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="program files") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="program files (x86)") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="microsoft") returned 1 [0071.515] lstrcmpiW (lpString1="Strings.xml", lpString2="sophos") returned 1 [0071.515] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.515] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.515] PathFindExtensionW (pszPath="Strings.xml") returned=".xml" [0071.515] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0071.515] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0071.516] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0071.516] lstrcmpiW (lpString1="Strings.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.516] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.516] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=14084) returned 1 [0071.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0071.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0071.516] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0071.516] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0071.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0071.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.516] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.517] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.519] GetTickCount () returned 0x1153380 [0071.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.519] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3704, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.519] SetLastError (dwErrCode=0x0) [0071.520] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.522] GetLastError () returned 0x0 [0071.522] GetLastError () returned 0x0 [0071.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3804, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.522] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3904, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25a01ac4, dwHighDateTime=0x1d5f971)) [0071.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.522] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.522] GetProcessHeap () returned 0xbc0000 [0071.522] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3704) returned 0xbeb608 [0071.523] GetSystemDefaultLangID () returned 0xbd0409 [0071.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.523] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x3704, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x3704, lpOverlapped=0x0) returned 1 [0071.525] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.525] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x3704, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x3704, lpOverlapped=0x0) returned 1 [0071.525] GetProcessHeap () returned 0xbc0000 [0071.525] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.525] CloseHandle (hObject=0x260) returned 1 [0071.526] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0071.526] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.526] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.526] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0071.526] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0071.526] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Strings.xml" (normalized: "c:\\588bce7c90097ed212\\strings.xml"), lpNewFileName="C:\\588bce7c90097ed212\\Strings.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\strings.xml.nefilim")) returned 1 [0071.527] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.527] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.527] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x79a6a00, ftCreationTime.dwHighDateTime=0x1ca5de3, ftLastAccessTime.dwLowDateTime=0x79a6a00, ftLastAccessTime.dwHighDateTime=0x1ca5de3, ftLastWriteTime.dwLowDateTime=0x79a6a00, ftLastWriteTime.dwHighDateTime=0x1ca5de3, nFileSizeHigh=0x0, nFileSizeLow=0x97f2, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="UiInfo.xml", cAlternateFileName="")) returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2=".") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="..") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="...") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="windows") returned -1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="$RECYCLE.BIN") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="rsa") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NTDETECT.COM") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntldr") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="MSDOS.SYS") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="IO.SYS") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="boot.ini") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="AUTOEXEC.BAT") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="ntuser.dat") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="desktop.ini") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="CONFIG.SYS") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="RECYCLER") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="BOOTSECT.BAK") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="bootmgr") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="programdata") returned 1 [0071.527] lstrcmpiW (lpString1="UiInfo.xml", lpString2="appdata") returned 1 [0071.528] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files") returned 1 [0071.528] lstrcmpiW (lpString1="UiInfo.xml", lpString2="program files (x86)") returned 1 [0071.528] lstrcmpiW (lpString1="UiInfo.xml", lpString2="microsoft") returned 1 [0071.528] lstrcmpiW (lpString1="UiInfo.xml", lpString2="sophos") returned 1 [0071.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.528] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.528] PathFindExtensionW (pszPath="UiInfo.xml") returned=".xml" [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0071.528] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0071.528] lstrcmpiW (lpString1="UiInfo.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.528] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.528] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=38898) returned 1 [0071.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0071.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0071.528] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0071.529] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0071.529] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0071.529] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.529] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.530] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.532] GetTickCount () returned 0x115338f [0071.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.532] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.532] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x97f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.532] SetLastError (dwErrCode=0x0) [0071.532] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.533] GetLastError () returned 0x0 [0071.533] GetLastError () returned 0x0 [0071.533] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x98f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.534] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.534] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x99f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.534] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25a01ac4, dwHighDateTime=0x1d5f971)) [0071.534] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.534] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.534] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.534] GetProcessHeap () returned 0xbc0000 [0071.534] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x97f2) returned 0xbeb608 [0071.535] GetSystemDefaultLangID () returned 0xbd0409 [0071.535] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.535] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x97f2, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x97f2, lpOverlapped=0x0) returned 1 [0071.538] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.538] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x97f2, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x97f2, lpOverlapped=0x0) returned 1 [0071.538] GetProcessHeap () returned 0xbc0000 [0071.538] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.538] CloseHandle (hObject=0x260) returned 1 [0071.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0071.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0071.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0071.539] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\UiInfo.xml" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml"), lpNewFileName="C:\\588bce7c90097ed212\\UiInfo.xml.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\uiinfo.xml.nefilim")) returned 1 [0071.540] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.540] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.540] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x87910600, ftCreationTime.dwHighDateTime=0x1ca2a27, ftLastAccessTime.dwLowDateTime=0x87910600, ftLastAccessTime.dwHighDateTime=0x1ca2a27, ftLastWriteTime.dwLowDateTime=0x87910600, ftLastWriteTime.dwHighDateTime=0x1ca2a27, nFileSizeHigh=0x0, nFileSizeLow=0x19688, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="watermark.bmp", cAlternateFileName="WATERM~1.BMP")) returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2=".") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="..") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="...") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="windows") returned -1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="$RECYCLE.BIN") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="rsa") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="NTDETECT.COM") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="ntldr") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="MSDOS.SYS") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="IO.SYS") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="boot.ini") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="ntuser.dat") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="desktop.ini") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="CONFIG.SYS") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="RECYCLER") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="BOOTSECT.BAK") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="bootmgr") returned 1 [0071.540] lstrcmpiW (lpString1="watermark.bmp", lpString2="programdata") returned 1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="appdata") returned 1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="program files") returned 1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="program files (x86)") returned 1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="microsoft") returned 1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="sophos") returned 1 [0071.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681330 [0071.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.541] PathFindExtensionW (pszPath="watermark.bmp") returned=".bmp" [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0071.541] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0071.541] lstrcmpiW (lpString1="watermark.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681388 [0071.541] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.541] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=104072) returned 1 [0071.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813e0 [0071.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26813f8 [0071.541] SystemFunction036 (in: RandomBuffer=0x26813e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26813e0) returned 1 [0071.541] SystemFunction036 (in: RandomBuffer=0x26813f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26813f8) returned 1 [0071.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681410 [0071.542] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.542] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681410*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.543] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.545] GetTickCount () returned 0x115339f [0071.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0071.545] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.545] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19688, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.545] SetLastError (dwErrCode=0x0) [0071.545] WriteFile (in: hFile=0x260, lpBuffer=0x2681410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681410*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.546] GetLastError () returned 0x0 [0071.546] GetLastError () returned 0x0 [0071.546] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19788, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.546] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.547] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x19888, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.547] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25a27dbe, dwHighDateTime=0x1d5f971)) [0071.547] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0071.547] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.547] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.547] GetProcessHeap () returned 0xbc0000 [0071.547] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x19688) returned 0xbeb608 [0071.548] GetSystemDefaultLangID () returned 0xbd0409 [0071.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.548] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x19688, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x19688, lpOverlapped=0x0) returned 1 [0071.556] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.556] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x19688, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x19688, lpOverlapped=0x0) returned 1 [0071.556] GetProcessHeap () returned 0xbc0000 [0071.556] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0071.556] CloseHandle (hObject=0x260) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681410 | out: hHeap=0x2680000) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813f8 | out: hHeap=0x2680000) returned 1 [0071.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26813e0 [0071.559] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\watermark.bmp" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp"), lpNewFileName="C:\\588bce7c90097ed212\\watermark.bmp.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\watermark.bmp.nefilim")) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813e0 | out: hHeap=0x2680000) returned 1 [0071.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.559] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x2120bc00, ftCreationTime.dwHighDateTime=0x1cac6c9, ftLastAccessTime.dwLowDateTime=0x2120bc00, ftLastAccessTime.dwHighDateTime=0x1cac6c9, ftLastWriteTime.dwLowDateTime=0x2120bc00, ftLastWriteTime.dwHighDateTime=0x1cac6c9, nFileSizeHigh=0x0, nFileSizeLow=0x4f5113, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Windows6.0-KB956250-v6001-x64.msu", cAlternateFileName="WINDOW~1.MSU")) returned 1 [0071.559] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2=".") returned 1 [0071.559] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="..") returned 1 [0071.559] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="...") returned 1 [0071.559] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="windows") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="rsa") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="NTDETECT.COM") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="ntldr") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="MSDOS.SYS") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="IO.SYS") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="boot.ini") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="ntuser.dat") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="desktop.ini") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="CONFIG.SYS") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="RECYCLER") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="bootmgr") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="programdata") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="appdata") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="program files") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="program files (x86)") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="microsoft") returned 1 [0071.560] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="sophos") returned 1 [0071.560] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681388 [0071.560] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.560] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x64.msu") returned=".msu" [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0071.560] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0071.561] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0071.561] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0071.561] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x64.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.561] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681400 [0071.561] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.561] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=5198099) returned 1 [0071.561] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681330 [0071.561] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681348 [0071.561] SystemFunction036 (in: RandomBuffer=0x2681330, RandomBufferLength=0x10 | out: RandomBuffer=0x2681330) returned 1 [0071.561] SystemFunction036 (in: RandomBuffer=0x2681348, RandomBufferLength=0x10 | out: RandomBuffer=0x2681348) returned 1 [0071.561] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.561] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0071.561] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.563] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.565] GetTickCount () returned 0x11533af [0071.565] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681478 [0071.565] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0071.565] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5113, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.565] SetLastError (dwErrCode=0x0) [0071.565] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.567] GetLastError () returned 0x0 [0071.567] GetLastError () returned 0x0 [0071.567] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5213, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.567] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.567] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4f5313, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.567] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25a4e247, dwHighDateTime=0x1d5f971)) [0071.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681478 [0071.567] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0071.567] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c3020 [0071.569] GetCurrentProcess () returned 0xffffffff [0071.569] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.569] ReadFile (in: hFile=0x260, lpBuffer=0x25c3020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c3020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0071.693] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.693] WriteFile (in: hFile=0x260, lpBuffer=0x25c3020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c3020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0071.695] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c3020 | out: hHeap=0x2680000) returned 1 [0071.698] CloseHandle (hObject=0x260) returned 1 [0071.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0071.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0071.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681348 | out: hHeap=0x2680000) returned 1 [0071.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681478 [0071.964] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x64.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x64.msu.nefilim")) returned 1 [0071.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0071.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681400 | out: hHeap=0x2680000) returned 1 [0071.965] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x1bbe7400, ftCreationTime.dwHighDateTime=0x1cac6bf, ftLastAccessTime.dwLowDateTime=0x1bbe7400, ftLastAccessTime.dwHighDateTime=0x1cac6bf, ftLastWriteTime.dwLowDateTime=0x1bbe7400, ftLastWriteTime.dwHighDateTime=0x1cac6bf, nFileSizeHigh=0x0, nFileSizeLow=0x217520, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Windows6.0-KB956250-v6001-x86.msu", cAlternateFileName="WINDOW~2.MSU")) returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2=".") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="..") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="...") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="windows") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="rsa") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="NTDETECT.COM") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="ntldr") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="MSDOS.SYS") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="IO.SYS") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="boot.ini") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="AUTOEXEC.BAT") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="ntuser.dat") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="desktop.ini") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="CONFIG.SYS") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="RECYCLER") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="BOOTSECT.BAK") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="bootmgr") returned 1 [0071.965] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="programdata") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="appdata") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="program files") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="program files (x86)") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="microsoft") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="sophos") returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681400 [0071.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681388 | out: hHeap=0x2680000) returned 1 [0071.966] PathFindExtensionW (pszPath="Windows6.0-KB956250-v6001-x86.msu") returned=".msu" [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0071.966] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0071.966] lstrcmpiW (lpString1="Windows6.0-KB956250-v6001-x86.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681478 [0071.966] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0071.966] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=2192672) returned 1 [0071.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0071.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681508 [0071.967] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0071.967] SystemFunction036 (in: RandomBuffer=0x2681508, RandomBufferLength=0x10 | out: RandomBuffer=0x2681508) returned 1 [0071.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0071.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0071.967] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0071.969] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0071.971] GetTickCount () returned 0x1153545 [0071.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681330 [0071.971] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.971] SetLastError (dwErrCode=0x0) [0071.971] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.973] GetLastError () returned 0x0 [0071.973] GetLastError () returned 0x0 [0071.973] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.973] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0071.973] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x217720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.973] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x25e2df6b, dwHighDateTime=0x1d5f971)) [0071.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681330 [0071.973] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0071.973] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0071.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c5020 [0071.975] GetCurrentProcess () returned 0xffffffff [0071.975] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0071.975] ReadFile (in: hFile=0x260, lpBuffer=0x25c5020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c5020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0072.020] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.020] WriteFile (in: hFile=0x260, lpBuffer=0x25c5020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c5020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0072.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c5020 | out: hHeap=0x2680000) returned 1 [0072.057] CloseHandle (hObject=0x260) returned 1 [0072.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0072.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0072.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0072.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681330 [0072.159] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.0-KB956250-v6001-x86.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.0-kb956250-v6001-x86.msu.nefilim")) returned 1 [0072.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0072.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.160] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0x5b8e5700, ftCreationTime.dwHighDateTime=0x1cac6d1, ftLastAccessTime.dwLowDateTime=0x5b8e5700, ftLastAccessTime.dwHighDateTime=0x1cac6d1, ftLastWriteTime.dwLowDateTime=0x5b8e5700, ftLastWriteTime.dwHighDateTime=0x1cac6d1, nFileSizeHigh=0x0, nFileSizeLow=0x4db1ce, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x64.msu", cAlternateFileName="WINDOW~3.MSU")) returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2=".") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="..") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="...") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="windows") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="$RECYCLE.BIN") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="rsa") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="NTDETECT.COM") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="ntldr") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="MSDOS.SYS") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="IO.SYS") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="boot.ini") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="AUTOEXEC.BAT") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="ntuser.dat") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="desktop.ini") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="CONFIG.SYS") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="RECYCLER") returned 1 [0072.160] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="BOOTSECT.BAK") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="bootmgr") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="programdata") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="appdata") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="program files") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="program files (x86)") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="microsoft") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="sophos") returned 1 [0072.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681478 [0072.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681400 | out: hHeap=0x2680000) returned 1 [0072.161] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x64.msu") returned=".msu" [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0072.161] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0072.161] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x64.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0072.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681330 [0072.161] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0072.161] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=5091790) returned 1 [0072.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814f0 [0072.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681508 [0072.162] SystemFunction036 (in: RandomBuffer=0x26814f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814f0) returned 1 [0072.162] SystemFunction036 (in: RandomBuffer=0x2681508, RandomBufferLength=0x10 | out: RandomBuffer=0x2681508) returned 1 [0072.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0072.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0072.162] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.164] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.166] GetTickCount () returned 0x1153610 [0072.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26813a8 [0072.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a8 | out: hHeap=0x2680000) returned 1 [0072.166] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db1ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.166] SetLastError (dwErrCode=0x0) [0072.166] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.168] GetLastError () returned 0x0 [0072.168] GetLastError () returned 0x0 [0072.168] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db2ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.168] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.169] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4db3ce, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.169] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2601de28, dwHighDateTime=0x1d5f971)) [0072.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26813a8 [0072.169] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a8 | out: hHeap=0x2680000) returned 1 [0072.169] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0072.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c1020 [0072.170] GetCurrentProcess () returned 0xffffffff [0072.170] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.170] ReadFile (in: hFile=0x260, lpBuffer=0x25c1020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c1020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0072.255] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.255] WriteFile (in: hFile=0x260, lpBuffer=0x25c1020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c1020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0072.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c1020 | out: hHeap=0x2680000) returned 1 [0072.260] CloseHandle (hObject=0x260) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814f0 | out: hHeap=0x2680000) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681508 | out: hHeap=0x2680000) returned 1 [0072.668] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26813a8 [0072.668] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x64.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x64.msu.nefilim")) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a8 | out: hHeap=0x2680000) returned 1 [0072.668] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0072.668] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 1 [0072.668] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2=".") returned 1 [0072.668] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="..") returned 1 [0072.668] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="...") returned 1 [0072.668] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="windows") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="$RECYCLE.BIN") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="rsa") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="NTDETECT.COM") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="ntldr") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="MSDOS.SYS") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="IO.SYS") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="boot.ini") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="AUTOEXEC.BAT") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="ntuser.dat") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="desktop.ini") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="CONFIG.SYS") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="RECYCLER") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="BOOTSECT.BAK") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="bootmgr") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="programdata") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="appdata") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="program files") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="program files (x86)") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="microsoft") returned 1 [0072.669] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="sophos") returned 1 [0072.669] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681330 [0072.669] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.669] PathFindExtensionW (pszPath="Windows6.1-KB958488-v6001-x86.msu") returned=".msu" [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".exe") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".log") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".cab") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".cmd") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".com") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".cpl") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".ini") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".dll") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".url") returned -1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".ttf") returned -1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".mp3") returned 1 [0072.669] lstrcmpiW (lpString1=".msu", lpString2=".pif") returned -1 [0072.670] lstrcmpiW (lpString1=".msu", lpString2=".mp4") returned 1 [0072.670] lstrcmpiW (lpString1=".msu", lpString2=".NEFILIM") returned -1 [0072.670] lstrcmpiW (lpString1=".msu", lpString2=".msi") returned 1 [0072.670] lstrcmpiW (lpString1=".msu", lpString2=".lnk") returned 1 [0072.670] lstrcmpiW (lpString1="Windows6.1-KB958488-v6001-x86.msu", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0072.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26813a8 [0072.670] CreateFileW (lpFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0072.670] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=2141433) returned 1 [0072.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681420 [0072.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681438 [0072.670] SystemFunction036 (in: RandomBuffer=0x2681420, RandomBufferLength=0x10 | out: RandomBuffer=0x2681420) returned 1 [0072.670] SystemFunction036 (in: RandomBuffer=0x2681438, RandomBufferLength=0x10 | out: RandomBuffer=0x2681438) returned 1 [0072.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0072.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0072.670] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.672] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.674] GetTickCount () returned 0x1153804 [0072.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681450 [0072.674] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0072.674] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20acf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.674] SetLastError (dwErrCode=0x0) [0072.674] WriteFile (in: hFile=0x260, lpBuffer=0x2681fc8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fc8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.676] GetLastError () returned 0x0 [0072.676] GetLastError () returned 0x0 [0072.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20adf9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.676] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.676] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x20aef9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.676] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x264e2755, dwHighDateTime=0x1d5f971)) [0072.676] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681450 [0072.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681450 | out: hHeap=0x2680000) returned 1 [0072.676] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0072.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c7020 [0072.678] GetCurrentProcess () returned 0xffffffff [0072.678] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.679] ReadFile (in: hFile=0x260, lpBuffer=0x25c7020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c7020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0072.756] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.756] WriteFile (in: hFile=0x260, lpBuffer=0x25c7020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c7020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0072.758] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c7020 | out: hHeap=0x2680000) returned 1 [0072.761] CloseHandle (hObject=0x260) returned 1 [0072.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681fc8 | out: hHeap=0x2680000) returned 1 [0072.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0072.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681438 | out: hHeap=0x2680000) returned 1 [0072.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681420 [0072.863] MoveFileW (lpExistingFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu"), lpNewFileName="C:\\588bce7c90097ed212\\Windows6.1-KB958488-v6001-x86.msu.NEFILIM" (normalized: "c:\\588bce7c90097ed212\\windows6.1-kb958488-v6001-x86.msu.nefilim")) returned 1 [0072.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681420 | out: hHeap=0x2680000) returned 1 [0072.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26813a8 | out: hHeap=0x2680000) returned 1 [0072.864] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xd0ac5d00, ftCreationTime.dwHighDateTime=0x1cac6ce, ftLastAccessTime.dwLowDateTime=0xd0ac5d00, ftLastAccessTime.dwHighDateTime=0x1cac6ce, ftLastWriteTime.dwLowDateTime=0xd0ac5d00, ftLastWriteTime.dwHighDateTime=0x1cac6ce, nFileSizeHigh=0x0, nFileSizeLow=0x20acf9, dwReserved0=0x26812f8, dwReserved1=0x7000000, cFileName="Windows6.1-KB958488-v6001-x86.msu", cAlternateFileName="WINDOW~4.MSU")) returned 0 [0072.864] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0072.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681330 | out: hHeap=0x2680000) returned 1 [0072.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0072.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0072.864] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6fa258, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="Boot", cAlternateFileName="")) returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2=".") returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="..") returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="...") returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="windows") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="$RECYCLE.BIN") returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="rsa") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="NTDETECT.COM") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="ntldr") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="MSDOS.SYS") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="IO.SYS") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="boot.ini") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="AUTOEXEC.BAT") returned 1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="ntuser.dat") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="desktop.ini") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="CONFIG.SYS") returned -1 [0072.864] lstrcmpiW (lpString1="Boot", lpString2="RECYCLER") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="BOOTSECT.BAK") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="bootmgr") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="programdata") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="appdata") returned 1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="program files") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="program files (x86)") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="microsoft") returned -1 [0072.865] lstrcmpiW (lpString1="Boot", lpString2="sophos") returned -1 [0072.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681278 [0072.865] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f8 | out: hHeap=0x2680000) returned 1 [0072.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812a0 [0072.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812c8 [0072.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0072.865] FindFirstFileW (in: lpFileName="C:\\Boot\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0072.866] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0072.866] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9d311c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef9d311c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="..", cAlternateFileName="")) returned 1 [0072.867] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0072.867] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0072.867] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x6d72d3cf, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6d72d3cf, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0xb000, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="BCD", cAlternateFileName="")) returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2=".") returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="..") returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="...") returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="windows") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="$RECYCLE.BIN") returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="rsa") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="NTDETECT.COM") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="ntldr") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="MSDOS.SYS") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="IO.SYS") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="boot.ini") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="AUTOEXEC.BAT") returned 1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="ntuser.dat") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="desktop.ini") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="CONFIG.SYS") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="RECYCLER") returned -1 [0072.867] lstrcmpiW (lpString1="BCD", lpString2="BOOTSECT.BAK") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="bootmgr") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="programdata") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="appdata") returned 1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="program files") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="program files (x86)") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="microsoft") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="sophos") returned -1 [0072.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681318 [0072.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.868] PathFindExtensionW (pszPath="BCD") returned="" [0072.868] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0072.868] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0072.868] lstrcmpiW (lpString1="BCD", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0072.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0072.868] CreateFileW (lpFileName="C:\\Boot\\BCD" (normalized: "c:\\boot\\bcd"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.869] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=75031468087965748) returned 0 [0072.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681340 [0072.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681358 [0072.869] SystemFunction036 (in: RandomBuffer=0x2681340, RandomBufferLength=0x10 | out: RandomBuffer=0x2681340) returned 1 [0072.869] SystemFunction036 (in: RandomBuffer=0x2681358, RandomBufferLength=0x10 | out: RandomBuffer=0x2681358) returned 1 [0072.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681370 [0072.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2681fc8 [0072.869] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681370*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2681370*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.871] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2681fc8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.873] GetTickCount () returned 0x11538cf [0072.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681478 [0072.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.873] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0072.873] SetLastError (dwErrCode=0x0) [0072.873] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2681370, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0) returned 0 [0072.873] GetLastError () returned 0x6 [0072.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.874] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="BCD.LOG", cAlternateFileName="")) returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2=".") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="..") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="...") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="windows") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="$RECYCLE.BIN") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="rsa") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="NTDETECT.COM") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntldr") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="MSDOS.SYS") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="IO.SYS") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="boot.ini") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="AUTOEXEC.BAT") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="ntuser.dat") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="desktop.ini") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="CONFIG.SYS") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="RECYCLER") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="BOOTSECT.BAK") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="bootmgr") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="programdata") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="appdata") returned 1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="program files (x86)") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="microsoft") returned -1 [0072.874] lstrcmpiW (lpString1="BCD.LOG", lpString2="sophos") returned -1 [0072.874] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0072.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681318 | out: hHeap=0x2680000) returned 1 [0072.874] PathFindExtensionW (pszPath="BCD.LOG") returned=".LOG" [0072.875] lstrcmpiW (lpString1=".LOG", lpString2=".exe") returned 1 [0072.875] lstrcmpiW (lpString1=".LOG", lpString2=".log") returned 0 [0072.875] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="BCD.LOG1", cAlternateFileName="BCD~1.LOG")) returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2=".") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="..") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="...") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="windows") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="rsa") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NTDETECT.COM") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntldr") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="MSDOS.SYS") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="IO.SYS") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="boot.ini") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="ntuser.dat") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="desktop.ini") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="CONFIG.SYS") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="RECYCLER") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="BOOTSECT.BAK") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="bootmgr") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="programdata") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="appdata") returned 1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="program files (x86)") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="microsoft") returned -1 [0072.875] lstrcmpiW (lpString1="BCD.LOG1", lpString2="sophos") returned -1 [0072.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681478 [0072.875] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.875] PathFindExtensionW (pszPath="BCD.LOG1") returned=".LOG1" [0072.875] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0072.875] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0072.876] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0072.876] lstrcmpiW (lpString1="BCD.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0072.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0072.876] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0072.876] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=0) returned 1 [0072.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681328 [0072.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814b0 [0072.876] SystemFunction036 (in: RandomBuffer=0x2681328, RandomBufferLength=0x10 | out: RandomBuffer=0x2681328) returned 1 [0072.876] SystemFunction036 (in: RandomBuffer=0x26814b0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814b0) returned 1 [0072.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0072.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26821d8 [0072.876] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.878] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26821d8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26821d8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.880] GetTickCount () returned 0x11538cf [0072.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814c8 [0072.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0072.880] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.880] SetLastError (dwErrCode=0x0) [0072.880] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.966] GetLastError () returned 0x0 [0072.966] GetLastError () returned 0x0 [0072.966] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.966] WriteFile (in: hFile=0x260, lpBuffer=0x26821d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26821d8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.966] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x267b7332, dwHighDateTime=0x1d5f971)) [0072.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814c8 [0072.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0072.966] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0072.966] GetProcessHeap () returned 0xbc0000 [0072.967] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x0) returned 0xbe3850 [0072.967] GetSystemDefaultLangID () returned 0xbd0409 [0072.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.967] ReadFile (in: hFile=0x260, lpBuffer=0xbe3850, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbe3850*, lpNumberOfBytesRead=0x25bf15c*=0x0, lpOverlapped=0x0) returned 1 [0072.967] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.967] WriteFile (in: hFile=0x260, lpBuffer=0xbe3850*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbe3850*, lpNumberOfBytesWritten=0x25bf150*=0x0, lpOverlapped=0x0) returned 1 [0072.967] GetProcessHeap () returned 0xbc0000 [0072.967] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3850 | out: hHeap=0xbc0000) returned 1 [0072.967] CloseHandle (hObject=0x260) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681328 | out: hHeap=0x2680000) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b0 | out: hHeap=0x2680000) returned 1 [0072.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b0 [0072.968] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG1" (normalized: "c:\\boot\\bcd.log1"), lpNewFileName="C:\\Boot\\BCD.LOG1.NEFILIM" (normalized: "c:\\boot\\bcd.log1.nefilim")) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b0 | out: hHeap=0x2680000) returned 1 [0072.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.968] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc4c800b6, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4c800b6, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4c800b6, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="BCD.LOG2", cAlternateFileName="BCD~2.LOG")) returned 1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2=".") returned 1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2="..") returned 1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2="...") returned 1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2="windows") returned -1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0072.968] lstrcmpiW (lpString1="BCD.LOG2", lpString2="rsa") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NTDETECT.COM") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntldr") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="MSDOS.SYS") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="IO.SYS") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="boot.ini") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="ntuser.dat") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="desktop.ini") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="CONFIG.SYS") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="RECYCLER") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="BOOTSECT.BAK") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="bootmgr") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="programdata") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="appdata") returned 1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="program files (x86)") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="microsoft") returned -1 [0072.969] lstrcmpiW (lpString1="BCD.LOG2", lpString2="sophos") returned -1 [0072.969] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0072.969] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.969] PathFindExtensionW (pszPath="BCD.LOG2") returned=".LOG2" [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0072.969] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0072.970] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0072.970] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0072.970] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0072.970] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0072.970] lstrcmpiW (lpString1="BCD.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0072.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681478 [0072.970] CreateFileW (lpFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0072.970] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=0) returned 1 [0072.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681328 [0072.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814b0 [0072.970] SystemFunction036 (in: RandomBuffer=0x2681328, RandomBufferLength=0x10 | out: RandomBuffer=0x2681328) returned 1 [0072.970] SystemFunction036 (in: RandomBuffer=0x26814b0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814b0) returned 1 [0072.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26820d0 [0072.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26821d8 [0072.970] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26820d0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x26820d0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.973] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26821d8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x26821d8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.975] GetTickCount () returned 0x115393d [0072.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814c8 [0072.975] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0072.975] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.975] SetLastError (dwErrCode=0x0) [0072.975] WriteFile (in: hFile=0x260, lpBuffer=0x26820d0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26820d0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.976] GetLastError () returned 0x0 [0072.976] GetLastError () returned 0x0 [0072.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.976] WriteFile (in: hFile=0x260, lpBuffer=0x26821d8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x26821d8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x267dd72f, dwHighDateTime=0x1d5f971)) [0072.976] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814c8 [0072.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814c8 | out: hHeap=0x2680000) returned 1 [0072.976] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0072.976] GetProcessHeap () returned 0xbc0000 [0072.976] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x0) returned 0xbe3700 [0072.976] GetSystemDefaultLangID () returned 0xbd0409 [0072.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.976] ReadFile (in: hFile=0x260, lpBuffer=0xbe3700, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbe3700*, lpNumberOfBytesRead=0x25bf15c*=0x0, lpOverlapped=0x0) returned 1 [0072.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.976] WriteFile (in: hFile=0x260, lpBuffer=0xbe3700*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbe3700*, lpNumberOfBytesWritten=0x25bf150*=0x0, lpOverlapped=0x0) returned 1 [0072.977] GetProcessHeap () returned 0xbc0000 [0072.977] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3700 | out: hHeap=0xbc0000) returned 1 [0072.977] CloseHandle (hObject=0x260) returned 1 [0072.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26821d8 | out: hHeap=0x2680000) returned 1 [0072.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681328 | out: hHeap=0x2680000) returned 1 [0072.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b0 | out: hHeap=0x2680000) returned 1 [0072.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b0 [0072.979] MoveFileW (lpExistingFileName="C:\\Boot\\BCD.LOG2" (normalized: "c:\\boot\\bcd.log2"), lpNewFileName="C:\\Boot\\BCD.LOG2.NEFILIM" (normalized: "c:\\boot\\bcd.log2.nefilim")) returned 1 [0072.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b0 | out: hHeap=0x2680000) returned 1 [0072.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.980] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="bg-BG", cAlternateFileName="")) returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2=".") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="..") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="...") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="windows") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="$RECYCLE.BIN") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="rsa") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="NTDETECT.COM") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="ntldr") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="MSDOS.SYS") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="IO.SYS") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="boot.ini") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="AUTOEXEC.BAT") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="ntuser.dat") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="desktop.ini") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="CONFIG.SYS") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="RECYCLER") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="BOOTSECT.BAK") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="bootmgr") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="programdata") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="appdata") returned 1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="program files") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="program files (x86)") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="microsoft") returned -1 [0072.980] lstrcmpiW (lpString1="bg-BG", lpString2="sophos") returned -1 [0072.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0072.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0072.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681318 [0072.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814a0 [0072.981] FindFirstFileW (in: lpFileName="C:\\Boot\\bg-BG\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0072.981] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0072.981] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47952ba, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc47bb525, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0072.981] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0072.981] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0072.981] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x2681478, dwReserved1=0x2000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0072.981] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0072.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814d8 [0072.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814a0 | out: hHeap=0x2680000) returned 1 [0072.982] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0072.982] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0072.982] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0072.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26820d0 [0072.982] CreateFileW (lpFileName="C:\\Boot\\bg-BG\\bootmgr.exe.mui" (normalized: "c:\\boot\\bg-bg\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0072.983] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0072.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681520 [0072.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26814a0 [0072.983] SystemFunction036 (in: RandomBuffer=0x2681520, RandomBufferLength=0x10 | out: RandomBuffer=0x2681520) returned 1 [0072.983] SystemFunction036 (in: RandomBuffer=0x26814a0, RandomBufferLength=0x10 | out: RandomBuffer=0x26814a0) returned 1 [0072.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682118 [0072.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682220 [0072.983] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682118*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2682118*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0072.984] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682220*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2682220*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0072.984] GetTickCount () returned 0x115393d [0072.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0072.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0072.984] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0072.984] SetLastError (dwErrCode=0x0) [0072.984] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2682118, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0072.984] GetLastError () returned 0x6 [0072.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.985] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47bb525, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210bba74, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x2681478, dwReserved1=0x2000000, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0072.985] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0072.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814d8 | out: hHeap=0x2680000) returned 1 [0072.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681318 | out: hHeap=0x2680000) returned 1 [0072.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0072.985] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef4e6d79, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef4e6d79, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x175a0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="bootspaces.dll", cAlternateFileName="BOOTSP~1.DLL")) returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2=".") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="..") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="...") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="windows") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="$RECYCLE.BIN") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="rsa") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="NTDETECT.COM") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="ntldr") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="MSDOS.SYS") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="IO.SYS") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="boot.ini") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="AUTOEXEC.BAT") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="ntuser.dat") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="desktop.ini") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="CONFIG.SYS") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="RECYCLER") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="BOOTSECT.BAK") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="bootmgr") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="programdata") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="appdata") returned 1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="program files") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="program files (x86)") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="microsoft") returned -1 [0072.985] lstrcmpiW (lpString1="bootspaces.dll", lpString2="sophos") returned -1 [0072.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0072.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0072.986] PathFindExtensionW (pszPath="bootspaces.dll") returned=".dll" [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0072.986] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0072.986] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xef703e94, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="BOOTSTAT.DAT", cAlternateFileName="")) returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2=".") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="..") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="...") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="windows") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="$RECYCLE.BIN") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="rsa") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NTDETECT.COM") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntldr") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="MSDOS.SYS") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="IO.SYS") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="boot.ini") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="ntuser.dat") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="desktop.ini") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="CONFIG.SYS") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="RECYCLER") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="BOOTSECT.BAK") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="bootmgr") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="programdata") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="appdata") returned 1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="program files (x86)") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="microsoft") returned -1 [0072.986] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="sophos") returned -1 [0072.987] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812f0 [0072.987] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0072.987] PathFindExtensionW (pszPath="BOOTSTAT.DAT") returned=".DAT" [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".exe") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".log") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".cab") returned 1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".cmd") returned 1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".com") returned 1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".cpl") returned 1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".ini") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".dll") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".url") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".ttf") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".mp3") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".pif") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".mp4") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".NEFILIM") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".msi") returned -1 [0072.987] lstrcmpiW (lpString1=".DAT", lpString2=".lnk") returned -1 [0072.987] lstrcmpiW (lpString1="BOOTSTAT.DAT", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0072.987] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0072.987] CreateFileW (lpFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0072.988] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=65536) returned 1 [0072.988] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681328 [0072.988] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681478 [0072.988] SystemFunction036 (in: RandomBuffer=0x2681328, RandomBufferLength=0x10 | out: RandomBuffer=0x2681328) returned 1 [0072.989] SystemFunction036 (in: RandomBuffer=0x2681478, RandomBufferLength=0x10 | out: RandomBuffer=0x2681478) returned 1 [0072.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682328 [0072.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682430 [0072.989] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682328*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x2682328*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0072.990] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682430*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x2682430*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0072.992] GetTickCount () returned 0x115394c [0072.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0072.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0072.992] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.992] SetLastError (dwErrCode=0x0) [0072.992] WriteFile (in: hFile=0x260, lpBuffer=0x2682328*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2682328*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.993] GetLastError () returned 0x0 [0072.993] GetLastError () returned 0x0 [0072.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.993] WriteFile (in: hFile=0x260, lpBuffer=0x2682430*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2682430*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0072.993] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.993] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x26803814, dwHighDateTime=0x1d5f971)) [0072.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0072.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0072.993] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0072.993] GetProcessHeap () returned 0xbc0000 [0072.993] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10000) returned 0xbeb608 [0072.994] GetSystemDefaultLangID () returned 0xbd0409 [0072.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.994] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x10000, lpOverlapped=0x0) returned 1 [0072.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0072.999] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x10000, lpOverlapped=0x0) returned 1 [0072.999] GetProcessHeap () returned 0xbc0000 [0072.999] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0072.999] CloseHandle (hObject=0x260) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682430 | out: hHeap=0x2680000) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681328 | out: hHeap=0x2680000) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.002] MoveFileW (lpExistingFileName="C:\\Boot\\BOOTSTAT.DAT" (normalized: "c:\\boot\\bootstat.dat"), lpNewFileName="C:\\Boot\\BOOTSTAT.DAT.NEFILIM" (normalized: "c:\\boot\\bootstat.dat.nefilim")) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.003] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef4fcd12, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x185a0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="bootvhd.dll", cAlternateFileName="")) returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2=".") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="..") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="...") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="windows") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="rsa") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="NTDETECT.COM") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="ntldr") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="MSDOS.SYS") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="IO.SYS") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="boot.ini") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="AUTOEXEC.BAT") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="ntuser.dat") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="desktop.ini") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="CONFIG.SYS") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="RECYCLER") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="BOOTSECT.BAK") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="bootmgr") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="programdata") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="appdata") returned 1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="program files") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="program files (x86)") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="microsoft") returned -1 [0073.003] lstrcmpiW (lpString1="bootvhd.dll", lpString2="sophos") returned -1 [0073.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26820d0 [0073.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.003] PathFindExtensionW (pszPath="bootvhd.dll") returned=".dll" [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0073.003] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0073.004] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0073.004] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0073.004] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="cs-CZ", cAlternateFileName="")) returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2=".") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="..") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="...") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="windows") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="$RECYCLE.BIN") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="rsa") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="NTDETECT.COM") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="ntldr") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="MSDOS.SYS") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="IO.SYS") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="boot.ini") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="AUTOEXEC.BAT") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="ntuser.dat") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="desktop.ini") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="CONFIG.SYS") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="RECYCLER") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="BOOTSECT.BAK") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="bootmgr") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="programdata") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="appdata") returned 1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="program files") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="program files (x86)") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="microsoft") returned -1 [0073.004] lstrcmpiW (lpString1="cs-CZ", lpString2="sophos") returned -1 [0073.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.004] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.004] FindFirstFileW (in: lpFileName="C:\\Boot\\cs-CZ\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0073.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.040] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47bb525, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef511a4c, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.040] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2109581d, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.040] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.040] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.041] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.041] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.041] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.041] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.041] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\bootmgr.exe.mui" (normalized: "c:\\boot\\cs-cz\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.041] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681500 [0073.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26820f8 [0073.041] SystemFunction036 (in: RandomBuffer=0x2681500, RandomBufferLength=0x10 | out: RandomBuffer=0x2681500) returned 1 [0073.041] SystemFunction036 (in: RandomBuffer=0x26820f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26820f8) returned 1 [0073.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682370 [0073.041] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682478 [0073.042] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682370*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2682370*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.042] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682478*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2682478*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.042] GetTickCount () returned 0x115397b [0073.042] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682580 [0073.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682580 | out: hHeap=0x2680000) returned 1 [0073.042] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.042] SetLastError (dwErrCode=0x0) [0073.042] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2682370, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.042] GetLastError () returned 0x6 [0073.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.042] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.042] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.043] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.043] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.043] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.043] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.043] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.044] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.044] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.044] CreateFileW (lpFileName="C:\\Boot\\cs-CZ\\memtest.exe.mui" (normalized: "c:\\boot\\cs-cz\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.044] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2681318 [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2682580 [0073.044] SystemFunction036 (in: RandomBuffer=0x2681318, RandomBufferLength=0x10 | out: RandomBuffer=0x2681318) returned 1 [0073.044] SystemFunction036 (in: RandomBuffer=0x2682580, RandomBufferLength=0x10 | out: RandomBuffer=0x2682580) returned 1 [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2682598 [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26826a0 [0073.044] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2682598*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2682598*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.044] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26826a0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26826a0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.044] GetTickCount () returned 0x115397b [0073.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26827a8 [0073.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26827a8 | out: hHeap=0x2680000) returned 1 [0073.044] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.045] SetLastError (dwErrCode=0x0) [0073.045] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2682598, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.045] GetLastError () returned 0x6 [0073.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.045] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef511a4c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f1d4cf, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.045] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0073.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.045] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="da-DK", cAlternateFileName="")) returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2=".") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="..") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="...") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="windows") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="$RECYCLE.BIN") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="rsa") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="NTDETECT.COM") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="ntldr") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="MSDOS.SYS") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="IO.SYS") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="boot.ini") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="AUTOEXEC.BAT") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="ntuser.dat") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="desktop.ini") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="CONFIG.SYS") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="RECYCLER") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="BOOTSECT.BAK") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="bootmgr") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="programdata") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="appdata") returned 1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="program files") returned -1 [0073.045] lstrcmpiW (lpString1="da-DK", lpString2="program files (x86)") returned -1 [0073.046] lstrcmpiW (lpString1="da-DK", lpString2="microsoft") returned -1 [0073.046] lstrcmpiW (lpString1="da-DK", lpString2="sophos") returned -1 [0073.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.046] FindFirstFileW (in: lpFileName="C:\\Boot\\da-DK\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2388 [0073.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.047] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0008dbb, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5252b3, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.047] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc47e189c, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc47e189c, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.047] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.048] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.048] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.049] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.049] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.049] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.049] CreateFileW (lpFileName="C:\\Boot\\da-DK\\bootmgr.exe.mui" (normalized: "c:\\boot\\da-dk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.050] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26827a8 [0073.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26827c0 [0073.050] SystemFunction036 (in: RandomBuffer=0x26827a8, RandomBufferLength=0x10 | out: RandomBuffer=0x26827a8) returned 1 [0073.050] SystemFunction036 (in: RandomBuffer=0x26827c0, RandomBufferLength=0x10 | out: RandomBuffer=0x26827c0) returned 1 [0073.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26827d8 [0073.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26828e0 [0073.050] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26827d8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26827d8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.050] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26828e0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26828e0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.051] GetTickCount () returned 0x115397b [0073.051] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26829e8 [0073.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26829e8 | out: hHeap=0x2680000) returned 1 [0073.051] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.051] SetLastError (dwErrCode=0x0) [0073.051] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26827d8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.051] GetLastError () returned 0x6 [0073.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.051] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.051] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.051] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.051] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.052] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.053] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.053] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.053] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.053] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.054] CreateFileW (lpFileName="C:\\Boot\\da-DK\\memtest.exe.mui" (normalized: "c:\\boot\\da-dk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.054] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26829e8 [0073.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26804a0 [0073.057] SystemFunction036 (in: RandomBuffer=0x26829e8, RandomBufferLength=0x10 | out: RandomBuffer=0x26829e8) returned 1 [0073.057] SystemFunction036 (in: RandomBuffer=0x26804a0, RandomBufferLength=0x10 | out: RandomBuffer=0x26804a0) returned 1 [0073.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2685930 [0073.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2685a38 [0073.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2685930*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2685930*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2685a38*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2685a38*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.058] GetTickCount () returned 0x115398b [0073.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.058] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.058] SetLastError (dwErrCode=0x0) [0073.058] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2685930, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.058] GetLastError () returned 0x6 [0073.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.058] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5252b3, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.058] FindClose (in: hFindFile=0xbe2388 | out: hFindFile=0xbe2388) returned 1 [0073.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.058] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="de-DE", cAlternateFileName="")) returned 1 [0073.058] lstrcmpiW (lpString1="de-DE", lpString2=".") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="..") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="...") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="windows") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="$RECYCLE.BIN") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="rsa") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="NTDETECT.COM") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="ntldr") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="MSDOS.SYS") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="IO.SYS") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="boot.ini") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="AUTOEXEC.BAT") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="ntuser.dat") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="desktop.ini") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="CONFIG.SYS") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="RECYCLER") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="BOOTSECT.BAK") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="bootmgr") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="programdata") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="appdata") returned 1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="program files") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="program files (x86)") returned -1 [0073.059] lstrcmpiW (lpString1="de-DE", lpString2="microsoft") returned -1 [0073.060] lstrcmpiW (lpString1="de-DE", lpString2="sophos") returned -1 [0073.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.060] FindFirstFileW (in: lpFileName="C:\\Boot\\de-DE\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2848 [0073.060] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.060] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0009692, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef538bee, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.060] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.060] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.060] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48079da, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48079da, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.060] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.060] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.060] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.061] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.062] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.062] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.062] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.062] CreateFileW (lpFileName="C:\\Boot\\de-DE\\bootmgr.exe.mui" (normalized: "c:\\boot\\de-de\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.063] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685b68 [0073.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c28 [0073.063] SystemFunction036 (in: RandomBuffer=0x2685b68, RandomBufferLength=0x10 | out: RandomBuffer=0x2685b68) returned 1 [0073.063] SystemFunction036 (in: RandomBuffer=0x2685c28, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c28) returned 1 [0073.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686148 [0073.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686250 [0073.064] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686148*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686148*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.064] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686250*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2686250*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.064] GetTickCount () returned 0x115398b [0073.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.064] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.065] SetLastError (dwErrCode=0x0) [0073.065] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686148, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.065] GetLastError () returned 0x6 [0073.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.065] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.065] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.066] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.067] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.067] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.067] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.068] CreateFileW (lpFileName="C:\\Boot\\de-DE\\memtest.exe.mui" (normalized: "c:\\boot\\de-de\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.068] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c70 [0073.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685bf8 [0073.068] SystemFunction036 (in: RandomBuffer=0x2685c70, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c70) returned 1 [0073.068] SystemFunction036 (in: RandomBuffer=0x2685bf8, RandomBufferLength=0x10 | out: RandomBuffer=0x2685bf8) returned 1 [0073.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686358 [0073.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686460 [0073.068] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686358*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686358*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.069] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686460*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2686460*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.069] GetTickCount () returned 0x115399a [0073.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.069] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.069] SetLastError (dwErrCode=0x0) [0073.069] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686358, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.070] GetLastError () returned 0x6 [0073.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.070] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef538bee, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2ef7268, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.070] FindClose (in: hFindFile=0xbe2848 | out: hFindFile=0xbe2848) returned 1 [0073.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.070] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="el-GR", cAlternateFileName="")) returned 1 [0073.070] lstrcmpiW (lpString1="el-GR", lpString2=".") returned 1 [0073.070] lstrcmpiW (lpString1="el-GR", lpString2="..") returned 1 [0073.070] lstrcmpiW (lpString1="el-GR", lpString2="...") returned 1 [0073.070] lstrcmpiW (lpString1="el-GR", lpString2="windows") returned -1 [0073.070] lstrcmpiW (lpString1="el-GR", lpString2="$RECYCLE.BIN") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="rsa") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="NTDETECT.COM") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="ntldr") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="MSDOS.SYS") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="IO.SYS") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="boot.ini") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="AUTOEXEC.BAT") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="ntuser.dat") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="desktop.ini") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="CONFIG.SYS") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="RECYCLER") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="BOOTSECT.BAK") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="bootmgr") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="programdata") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="appdata") returned 1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="program files") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="program files (x86)") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="microsoft") returned -1 [0073.071] lstrcmpiW (lpString1="el-GR", lpString2="sophos") returned -1 [0073.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.071] FindFirstFileW (in: lpFileName="C:\\Boot\\el-GR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0073.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.072] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef555ff8, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.072] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.072] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.072] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13960, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.072] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.073] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.074] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.074] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.075] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.075] CreateFileW (lpFileName="C:\\Boot\\el-GR\\bootmgr.exe.mui" (normalized: "c:\\boot\\el-gr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.075] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685cb8 [0073.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c88 [0073.076] SystemFunction036 (in: RandomBuffer=0x2685cb8, RandomBufferLength=0x10 | out: RandomBuffer=0x2685cb8) returned 1 [0073.076] SystemFunction036 (in: RandomBuffer=0x2685c88, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c88) returned 1 [0073.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686590 [0073.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26868a8 [0073.077] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686590*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686590*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.078] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26868a8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26868a8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.078] GetTickCount () returned 0x115399a [0073.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.078] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.078] SetLastError (dwErrCode=0x0) [0073.078] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686590, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.079] GetLastError () returned 0x6 [0073.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.079] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.079] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.080] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.080] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.080] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.081] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.081] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.081] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.081] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.081] CreateFileW (lpFileName="C:\\Boot\\el-GR\\memtest.exe.mui" (normalized: "c:\\boot\\el-gr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.082] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685d30 [0073.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685d18 [0073.082] SystemFunction036 (in: RandomBuffer=0x2685d30, RandomBufferLength=0x10 | out: RandomBuffer=0x2685d30) returned 1 [0073.082] SystemFunction036 (in: RandomBuffer=0x2685d18, RandomBufferLength=0x10 | out: RandomBuffer=0x2685d18) returned 1 [0073.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26872f8 [0073.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686698 [0073.082] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26872f8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26872f8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.082] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686698*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2686698*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.082] GetTickCount () returned 0x115399a [0073.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.083] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.083] SetLastError (dwErrCode=0x0) [0073.083] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26872f8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.083] GetLastError () returned 0x6 [0073.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.083] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef555ff8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb5a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.083] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0073.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.083] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="en-GB", cAlternateFileName="")) returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2=".") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="..") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="...") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="windows") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="$RECYCLE.BIN") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="rsa") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="NTDETECT.COM") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="ntldr") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="MSDOS.SYS") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="IO.SYS") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="boot.ini") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="AUTOEXEC.BAT") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="ntuser.dat") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="desktop.ini") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="CONFIG.SYS") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="RECYCLER") returned -1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="BOOTSECT.BAK") returned 1 [0073.083] lstrcmpiW (lpString1="en-GB", lpString2="bootmgr") returned 1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="programdata") returned -1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="appdata") returned 1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="program files") returned -1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="program files (x86)") returned -1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="microsoft") returned -1 [0073.084] lstrcmpiW (lpString1="en-GB", lpString2="sophos") returned -1 [0073.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.084] FindFirstFileW (in: lpFileName="C:\\Boot\\en-GB\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0073.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.084] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc482dc87, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.084] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.084] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.085] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.085] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.085] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.086] CreateFileW (lpFileName="C:\\Boot\\en-GB\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-gb\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.086] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685b80 [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685b98 [0073.086] SystemFunction036 (in: RandomBuffer=0x2685b80, RandomBufferLength=0x10 | out: RandomBuffer=0x2685b80) returned 1 [0073.086] SystemFunction036 (in: RandomBuffer=0x2685b98, RandomBufferLength=0x10 | out: RandomBuffer=0x2685b98) returned 1 [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26867a0 [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26869b0 [0073.086] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26867a0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26867a0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.086] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26869b0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26869b0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.086] GetTickCount () returned 0x11539aa [0073.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.086] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.086] SetLastError (dwErrCode=0x0) [0073.086] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26867a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.087] GetLastError () returned 0x6 [0073.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.087] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc482dc87, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12158, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.087] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0073.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.087] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="en-US", cAlternateFileName="")) returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="microsoft") returned -1 [0073.087] lstrcmpiW (lpString1="en-US", lpString2="sophos") returned -1 [0073.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.088] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.088] FindFirstFileW (in: lpFileName="C:\\Boot\\en-US\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0073.088] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.088] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc482dc87, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef57d0f5, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.088] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.088] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.088] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef569843, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x327294d0, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.088] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.089] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.089] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.089] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.089] CreateFileW (lpFileName="C:\\Boot\\en-US\\bootmgr.exe.mui" (normalized: "c:\\boot\\en-us\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.133] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.133] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685bb0 [0073.133] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685ca0 [0073.134] SystemFunction036 (in: RandomBuffer=0x2685bb0, RandomBufferLength=0x10 | out: RandomBuffer=0x2685bb0) returned 1 [0073.134] SystemFunction036 (in: RandomBuffer=0x2685ca0, RandomBufferLength=0x10 | out: RandomBuffer=0x2685ca0) returned 1 [0073.134] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686ab8 [0073.134] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687400 [0073.134] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686ab8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686ab8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.134] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687400*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2687400*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.134] GetTickCount () returned 0x11539d9 [0073.134] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.134] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.134] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.134] SetLastError (dwErrCode=0x0) [0073.134] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686ab8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.134] GetLastError () returned 0x6 [0073.134] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.134] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.134] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.134] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.134] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.135] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.135] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.135] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.136] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.136] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.136] CreateFileW (lpFileName="C:\\Boot\\en-US\\memtest.exe.mui" (normalized: "c:\\boot\\en-us\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.136] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685cd0 [0073.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685bc8 [0073.136] SystemFunction036 (in: RandomBuffer=0x2685cd0, RandomBufferLength=0x10 | out: RandomBuffer=0x2685cd0) returned 1 [0073.136] SystemFunction036 (in: RandomBuffer=0x2685bc8, RandomBufferLength=0x10 | out: RandomBuffer=0x2685bc8) returned 1 [0073.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686bc0 [0073.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686ed8 [0073.136] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686bc0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686bc0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.136] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686ed8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2686ed8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.137] GetTickCount () returned 0x11539d9 [0073.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.137] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.137] SetLastError (dwErrCode=0x0) [0073.137] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686bc0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.137] GetLastError () returned 0x6 [0073.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.137] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef57d0f5, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.137] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0073.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.137] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="es-ES", cAlternateFileName="")) returned 1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2=".") returned 1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="..") returned 1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="...") returned 1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="windows") returned -1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="$RECYCLE.BIN") returned 1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="rsa") returned -1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="NTDETECT.COM") returned -1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="ntldr") returned -1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="MSDOS.SYS") returned -1 [0073.137] lstrcmpiW (lpString1="es-ES", lpString2="IO.SYS") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="boot.ini") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="AUTOEXEC.BAT") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="ntuser.dat") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="desktop.ini") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="CONFIG.SYS") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="RECYCLER") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="BOOTSECT.BAK") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="bootmgr") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="programdata") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="appdata") returned 1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="program files") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="program files (x86)") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="microsoft") returned -1 [0073.138] lstrcmpiW (lpString1="es-ES", lpString2="sophos") returned -1 [0073.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.138] FindFirstFileW (in: lpFileName="C:\\Boot\\es-ES\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0073.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.138] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000b9ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef586d37, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.138] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.138] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.138] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.138] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.139] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.139] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.139] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.139] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.140] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.140] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.140] CreateFileW (lpFileName="C:\\Boot\\es-ES\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-es\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.140] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685be0 [0073.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c10 [0073.140] SystemFunction036 (in: RandomBuffer=0x2685be0, RandomBufferLength=0x10 | out: RandomBuffer=0x2685be0) returned 1 [0073.140] SystemFunction036 (in: RandomBuffer=0x2685c10, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c10) returned 1 [0073.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686fe0 [0073.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26870e8 [0073.140] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686fe0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686fe0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.140] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26870e8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26870e8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.141] GetTickCount () returned 0x11539d9 [0073.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.141] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.141] SetLastError (dwErrCode=0x0) [0073.141] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686fe0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.141] GetLastError () returned 0x6 [0073.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.141] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.141] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.142] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.142] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.142] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.142] CreateFileW (lpFileName="C:\\Boot\\es-ES\\memtest.exe.mui" (normalized: "c:\\boot\\es-es\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.143] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c58 [0073.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685c40 [0073.143] SystemFunction036 (in: RandomBuffer=0x2685c58, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c58) returned 1 [0073.143] SystemFunction036 (in: RandomBuffer=0x2685c40, RandomBufferLength=0x10 | out: RandomBuffer=0x2685c40) returned 1 [0073.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686cc8 [0073.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2686dd0 [0073.143] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686cc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2686cc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.143] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2686dd0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2686dd0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.144] GetTickCount () returned 0x11539d9 [0073.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.144] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.144] SetLastError (dwErrCode=0x0) [0073.144] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2686cc8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.144] GetLastError () returned 0x6 [0073.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.144] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef586d37, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.144] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0073.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.144] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="es-MX", cAlternateFileName="")) returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2=".") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="..") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="...") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="windows") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="$RECYCLE.BIN") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="rsa") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="NTDETECT.COM") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="ntldr") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="MSDOS.SYS") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="IO.SYS") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="boot.ini") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="AUTOEXEC.BAT") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="ntuser.dat") returned -1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="desktop.ini") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="CONFIG.SYS") returned 1 [0073.144] lstrcmpiW (lpString1="es-MX", lpString2="RECYCLER") returned -1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="BOOTSECT.BAK") returned 1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="bootmgr") returned 1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="programdata") returned -1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="appdata") returned 1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="program files") returned -1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="program files (x86)") returned -1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="microsoft") returned -1 [0073.145] lstrcmpiW (lpString1="es-MX", lpString2="sophos") returned -1 [0073.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.145] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.145] FindFirstFileW (in: lpFileName="C:\\Boot\\es-MX\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.145] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000c12e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc4853f40, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.145] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.145] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.146] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.146] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.146] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.146] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.147] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.147] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.147] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.147] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.147] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.147] CreateFileW (lpFileName="C:\\Boot\\es-MX\\bootmgr.exe.mui" (normalized: "c:\\boot\\es-mx\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.147] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685ce8 [0073.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2685d00 [0073.147] SystemFunction036 (in: RandomBuffer=0x2685ce8, RandomBufferLength=0x10 | out: RandomBuffer=0x2685ce8) returned 1 [0073.147] SystemFunction036 (in: RandomBuffer=0x2685d00, RandomBufferLength=0x10 | out: RandomBuffer=0x2685d00) returned 1 [0073.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26871f0 [0073.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688828 [0073.147] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26871f0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26871f0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.147] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688828*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688828*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.148] GetTickCount () returned 0x11539e8 [0073.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.148] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.148] SetLastError (dwErrCode=0x0) [0073.148] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26871f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.148] GetLastError () returned 0x6 [0073.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.148] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4853f40, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4853f40, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.148] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.148] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="et-EE", cAlternateFileName="")) returned 1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2=".") returned 1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="..") returned 1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="...") returned 1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="windows") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="$RECYCLE.BIN") returned 1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="rsa") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="NTDETECT.COM") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="ntldr") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="MSDOS.SYS") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="IO.SYS") returned -1 [0073.148] lstrcmpiW (lpString1="et-EE", lpString2="boot.ini") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="AUTOEXEC.BAT") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="ntuser.dat") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="desktop.ini") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="CONFIG.SYS") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="RECYCLER") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="BOOTSECT.BAK") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="bootmgr") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="programdata") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="appdata") returned 1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="program files") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="program files (x86)") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="microsoft") returned -1 [0073.149] lstrcmpiW (lpString1="et-EE", lpString2="sophos") returned -1 [0073.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.149] FindFirstFileW (in: lpFileName="C:\\Boot\\et-EE\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0073.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.149] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc487a0b9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.149] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.149] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.149] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.149] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.149] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.149] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.149] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.150] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.150] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.150] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.151] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.151] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.151] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.151] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.151] CreateFileW (lpFileName="C:\\Boot\\et-EE\\bootmgr.exe.mui" (normalized: "c:\\boot\\et-ee\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.151] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26896b0 [0073.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689878 [0073.151] SystemFunction036 (in: RandomBuffer=0x26896b0, RandomBufferLength=0x10 | out: RandomBuffer=0x26896b0) returned 1 [0073.151] SystemFunction036 (in: RandomBuffer=0x2689878, RandomBufferLength=0x10 | out: RandomBuffer=0x2689878) returned 1 [0073.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688c48 [0073.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687598 [0073.151] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688c48*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688c48*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.152] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687598*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2687598*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.152] GetTickCount () returned 0x11539e8 [0073.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.152] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.152] SetLastError (dwErrCode=0x0) [0073.152] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688c48, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.152] GetLastError () returned 0x6 [0073.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.152] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209bac02, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.152] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0073.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.152] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="fi-FI", cAlternateFileName="")) returned 1 [0073.152] lstrcmpiW (lpString1="fi-FI", lpString2=".") returned 1 [0073.152] lstrcmpiW (lpString1="fi-FI", lpString2="..") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="...") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="windows") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="$RECYCLE.BIN") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="rsa") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="NTDETECT.COM") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="ntldr") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="MSDOS.SYS") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="IO.SYS") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="boot.ini") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="AUTOEXEC.BAT") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="ntuser.dat") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="desktop.ini") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="CONFIG.SYS") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="RECYCLER") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="BOOTSECT.BAK") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="bootmgr") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="programdata") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="appdata") returned 1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="program files") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="program files (x86)") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="microsoft") returned -1 [0073.153] lstrcmpiW (lpString1="fi-FI", lpString2="sophos") returned -1 [0073.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.153] FindFirstFileW (in: lpFileName="C:\\Boot\\fi-FI\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.153] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa000cf3a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef59a5b1, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.153] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.153] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.154] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc487a0b9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.154] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.154] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.154] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.154] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.154] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.154] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.154] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.155] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.155] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.155] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\bootmgr.exe.mui" (normalized: "c:\\boot\\fi-fi\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.155] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26895f0 [0073.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689620 [0073.155] SystemFunction036 (in: RandomBuffer=0x26895f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26895f0) returned 1 [0073.155] SystemFunction036 (in: RandomBuffer=0x2689620, RandomBufferLength=0x10 | out: RandomBuffer=0x2689620) returned 1 [0073.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689278 [0073.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26876a0 [0073.155] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689278*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689278*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.155] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26876a0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26876a0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.156] GetTickCount () returned 0x11539e8 [0073.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.156] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.156] SetLastError (dwErrCode=0x0) [0073.156] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689278, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.156] GetLastError () returned 0x6 [0073.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.156] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.156] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.157] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.157] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.157] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.157] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.157] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.157] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.157] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.157] CreateFileW (lpFileName="C:\\Boot\\fi-FI\\memtest.exe.mui" (normalized: "c:\\boot\\fi-fi\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.157] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689890 [0073.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689668 [0073.157] SystemFunction036 (in: RandomBuffer=0x2689890, RandomBufferLength=0x10 | out: RandomBuffer=0x2689890) returned 1 [0073.157] SystemFunction036 (in: RandomBuffer=0x2689668, RandomBufferLength=0x10 | out: RandomBuffer=0x2689668) returned 1 [0073.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687dd8 [0073.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687fe8 [0073.158] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687dd8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2687dd8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.158] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687fe8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2687fe8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.158] GetTickCount () returned 0x11539e8 [0073.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.158] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.158] SetLastError (dwErrCode=0x0) [0073.158] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2687dd8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.158] GetLastError () returned 0x6 [0073.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.158] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef59a5b1, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf3a246aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.158] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.158] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="Fonts", cAlternateFileName="")) returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2=".") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="..") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="...") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="windows") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="$RECYCLE.BIN") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="rsa") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="NTDETECT.COM") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="ntldr") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="MSDOS.SYS") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="IO.SYS") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="boot.ini") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="AUTOEXEC.BAT") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="ntuser.dat") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="desktop.ini") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="CONFIG.SYS") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="RECYCLER") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="BOOTSECT.BAK") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="bootmgr") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="programdata") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="appdata") returned 1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="program files") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="program files (x86)") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="microsoft") returned -1 [0073.159] lstrcmpiW (lpString1="Fonts", lpString2="sophos") returned -1 [0073.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.159] FindFirstFileW (in: lpFileName="C:\\Boot\\Fonts\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0073.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.162] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0109451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef999ae4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.162] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc49ab3c7, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef782dd9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x386467, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="chs_boot.ttf", cAlternateFileName="")) returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2=".") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="..") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="...") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="windows") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="rsa") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntldr") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="IO.SYS") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="boot.ini") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="desktop.ini") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="RECYCLER") returned -1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="bootmgr") returned 1 [0073.162] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="programdata") returned -1 [0073.163] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="appdata") returned 1 [0073.163] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files") returned -1 [0073.163] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="program files (x86)") returned -1 [0073.163] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="microsoft") returned -1 [0073.163] lstrcmpiW (lpString1="chs_boot.ttf", lpString2="sophos") returned -1 [0073.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.163] PathFindExtensionW (pszPath="chs_boot.ttf") returned=".ttf" [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.163] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.163] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a1dbea, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef81cc08, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x3b2e0a, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="cht_boot.ttf", cAlternateFileName="")) returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2=".") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="..") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="...") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="windows") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="rsa") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntldr") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="IO.SYS") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="boot.ini") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="desktop.ini") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="CONFIG.SYS") returned -1 [0073.163] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="RECYCLER") returned -1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="bootmgr") returned 1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="programdata") returned -1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="appdata") returned 1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files") returned -1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="program files (x86)") returned -1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="microsoft") returned -1 [0073.164] lstrcmpiW (lpString1="cht_boot.ttf", lpString2="sophos") returned -1 [0073.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.164] PathFindExtensionW (pszPath="cht_boot.ttf") returned=".ttf" [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.164] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.164] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4a902c2, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8771a7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1e4d4b, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="jpn_boot.ttf", cAlternateFileName="")) returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2=".") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="..") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="...") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="windows") returned -1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="rsa") returned -1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntldr") returned -1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="IO.SYS") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="boot.ini") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.164] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="desktop.ini") returned 1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="RECYCLER") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="bootmgr") returned 1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="programdata") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="appdata") returned 1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="program files (x86)") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="microsoft") returned -1 [0073.165] lstrcmpiW (lpString1="jpn_boot.ttf", lpString2="sophos") returned -1 [0073.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.165] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.165] PathFindExtensionW (pszPath="jpn_boot.ttf") returned=".ttf" [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.165] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.165] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b4eed5, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8c4060, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x243588, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="kor_boot.ttf", cAlternateFileName="")) returned 1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2=".") returned 1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="..") returned 1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="...") returned 1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="windows") returned -1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="rsa") returned -1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.165] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntldr") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="IO.SYS") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="boot.ini") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="desktop.ini") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="RECYCLER") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="bootmgr") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="programdata") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="appdata") returned 1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="program files (x86)") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="microsoft") returned -1 [0073.166] lstrcmpiW (lpString1="kor_boot.ttf", lpString2="sophos") returned -1 [0073.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.166] PathFindExtensionW (pszPath="kor_boot.ttf") returned=".ttf" [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.166] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.167] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.167] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.167] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.167] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8e28b4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2ab6f, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="malgunn_boot.ttf", cAlternateFileName="MALGUN~1.TTF")) returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2=".") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="..") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="...") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="windows") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="rsa") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="ntldr") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="IO.SYS") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="boot.ini") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="desktop.ini") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="RECYCLER") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="bootmgr") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="programdata") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="appdata") returned 1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="program files") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="program files (x86)") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="microsoft") returned -1 [0073.167] lstrcmpiW (lpString1="malgunn_boot.ttf", lpString2="sophos") returned -1 [0073.167] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.168] PathFindExtensionW (pszPath="malgunn_boot.ttf") returned=".ttf" [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.168] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.168] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef8f4db4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2b506, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="malgun_boot.ttf", cAlternateFileName="MALGUN~2.TTF")) returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2=".") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="..") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="...") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="windows") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="rsa") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="ntldr") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="IO.SYS") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="boot.ini") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="desktop.ini") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="RECYCLER") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="bootmgr") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="programdata") returned -1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="appdata") returned 1 [0073.168] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="program files") returned -1 [0073.169] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="program files (x86)") returned -1 [0073.169] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="microsoft") returned -1 [0073.169] lstrcmpiW (lpString1="malgun_boot.ttf", lpString2="sophos") returned -1 [0073.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.169] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.169] PathFindExtensionW (pszPath="malgun_boot.ttf") returned=".ttf" [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.169] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.169] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4b9b37e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9072c7, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2318a, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="meiryon_boot.ttf", cAlternateFileName="MEIRYO~1.TTF")) returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2=".") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="..") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="...") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="windows") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="rsa") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="ntldr") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="IO.SYS") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="boot.ini") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="desktop.ini") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="RECYCLER") returned -1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.169] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="bootmgr") returned 1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="programdata") returned -1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="appdata") returned 1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="program files") returned -1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="program files (x86)") returned -1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="microsoft") returned -1 [0073.170] lstrcmpiW (lpString1="meiryon_boot.ttf", lpString2="sophos") returned -1 [0073.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.170] PathFindExtensionW (pszPath="meiryon_boot.ttf") returned=".ttf" [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.170] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.170] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef918492, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x2380b, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="meiryo_boot.ttf", cAlternateFileName="MEIRYO~2.TTF")) returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2=".") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="..") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="...") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="windows") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="rsa") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="ntldr") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="MSDOS.SYS") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="IO.SYS") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="boot.ini") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="desktop.ini") returned 1 [0073.170] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="RECYCLER") returned -1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="bootmgr") returned 1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="programdata") returned -1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="appdata") returned 1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="program files") returned -1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="program files (x86)") returned -1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="microsoft") returned -1 [0073.171] lstrcmpiW (lpString1="meiryo_boot.ttf", lpString2="sophos") returned -1 [0073.171] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.171] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.171] PathFindExtensionW (pszPath="meiryo_boot.ttf") returned=".ttf" [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.171] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.171] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4bc156a, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef92a947, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x27a1b, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="msjhn_boot.ttf", cAlternateFileName="MSJHN_~1.TTF")) returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2=".") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="..") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="...") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="windows") returned -1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="rsa") returned -1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="ntldr") returned -1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="IO.SYS") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="boot.ini") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.171] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="desktop.ini") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="RECYCLER") returned -1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="bootmgr") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="programdata") returned -1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="appdata") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="program files") returned -1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="program files (x86)") returned -1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="microsoft") returned 1 [0073.172] lstrcmpiW (lpString1="msjhn_boot.ttf", lpString2="sophos") returned -1 [0073.172] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.172] PathFindExtensionW (pszPath="msjhn_boot.ttf") returned=".ttf" [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.172] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.172] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef93ce3b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x281fb, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="msjh_boot.ttf", cAlternateFileName="MSJH_B~1.TTF")) returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2=".") returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="..") returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="...") returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="windows") returned -1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="rsa") returned -1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="ntldr") returned -1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.172] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="IO.SYS") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="boot.ini") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="desktop.ini") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="RECYCLER") returned -1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="bootmgr") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="programdata") returned -1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="appdata") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="program files") returned -1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="program files (x86)") returned -1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="microsoft") returned 1 [0073.173] lstrcmpiW (lpString1="msjh_boot.ttf", lpString2="sophos") returned -1 [0073.173] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.173] PathFindExtensionW (pszPath="msjh_boot.ttf") returned=".ttf" [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.173] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.173] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef94dfcd, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x25b3b, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="msyhn_boot.ttf", cAlternateFileName="MSYHN_~1.TTF")) returned 1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2=".") returned 1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="..") returned 1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="...") returned 1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="windows") returned -1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="rsa") returned -1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.173] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="ntldr") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="IO.SYS") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="boot.ini") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="desktop.ini") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="RECYCLER") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="bootmgr") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="programdata") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="appdata") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="program files") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="program files (x86)") returned -1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="microsoft") returned 1 [0073.174] lstrcmpiW (lpString1="msyhn_boot.ttf", lpString2="sophos") returned -1 [0073.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.174] PathFindExtensionW (pszPath="msyhn_boot.ttf") returned=".ttf" [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.174] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.174] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef95f141, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2488a26, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x26255, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="msyh_boot.ttf", cAlternateFileName="MSYH_B~1.TTF")) returned 1 [0073.174] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2=".") returned 1 [0073.174] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="..") returned 1 [0073.174] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="...") returned 1 [0073.174] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="windows") returned -1 [0073.174] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="rsa") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="NTDETECT.COM") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="ntldr") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="IO.SYS") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="boot.ini") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="ntuser.dat") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="desktop.ini") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="RECYCLER") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="bootmgr") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="programdata") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="appdata") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="program files") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="program files (x86)") returned -1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="microsoft") returned 1 [0073.175] lstrcmpiW (lpString1="msyh_boot.ttf", lpString2="sophos") returned -1 [0073.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.175] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.175] PathFindExtensionW (pszPath="msyh_boot.ttf") returned=".ttf" [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.175] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.176] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4be7820, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef96ef3e, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf3b, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="segmono_boot.ttf", cAlternateFileName="SEGMON~1.TTF")) returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2=".") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="..") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="...") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="windows") returned -1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="rsa") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="NTDETECT.COM") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="ntldr") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="IO.SYS") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="boot.ini") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="ntuser.dat") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="desktop.ini") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="RECYCLER") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="bootmgr") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="programdata") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="appdata") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="program files") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="program files (x86)") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="microsoft") returned 1 [0073.176] lstrcmpiW (lpString1="segmono_boot.ttf", lpString2="sophos") returned -1 [0073.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.176] PathFindExtensionW (pszPath="segmono_boot.ttf") returned=".ttf" [0073.176] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.176] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.176] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.177] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.177] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c0da69, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef97d9ab, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x14f66, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="segoen_slboot.ttf", cAlternateFileName="SEGOEN~1.TTF")) returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2=".") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="..") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="...") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="windows") returned -1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="rsa") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="NTDETECT.COM") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="ntldr") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="IO.SYS") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="boot.ini") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="ntuser.dat") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="desktop.ini") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="RECYCLER") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="bootmgr") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="programdata") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="appdata") returned 1 [0073.177] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="program files") returned 1 [0073.218] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="program files (x86)") returned 1 [0073.219] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="microsoft") returned 1 [0073.219] lstrcmpiW (lpString1="segoen_slboot.ttf", lpString2="sophos") returned -1 [0073.219] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.219] PathFindExtensionW (pszPath="segoen_slboot.ttf") returned=".ttf" [0073.219] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.219] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.220] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.220] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef98c419, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x150a2, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="segoe_slboot.ttf", cAlternateFileName="SEGOE_~1.TTF")) returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2=".") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="..") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="...") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="windows") returned -1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="rsa") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="NTDETECT.COM") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="ntldr") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="IO.SYS") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="boot.ini") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="ntuser.dat") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="desktop.ini") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="RECYCLER") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="bootmgr") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="programdata") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="appdata") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="program files") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="program files (x86)") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="microsoft") returned 1 [0073.220] lstrcmpiW (lpString1="segoe_slboot.ttf", lpString2="sophos") returned -1 [0073.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.220] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.221] PathFindExtensionW (pszPath="segoe_slboot.ttf") returned=".ttf" [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.221] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.221] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2=".") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="..") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="...") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="windows") returned -1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="$RECYCLE.BIN") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="rsa") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="NTDETECT.COM") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntldr") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="MSDOS.SYS") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="IO.SYS") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="boot.ini") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="AUTOEXEC.BAT") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="ntuser.dat") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="desktop.ini") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="CONFIG.SYS") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="RECYCLER") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="BOOTSECT.BAK") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="bootmgr") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="programdata") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="appdata") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="program files (x86)") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="microsoft") returned 1 [0073.221] lstrcmpiW (lpString1="wgl4_boot.ttf", lpString2="sophos") returned 1 [0073.222] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.222] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.222] PathFindExtensionW (pszPath="wgl4_boot.ttf") returned=".ttf" [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".exe") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".log") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".cab") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".cmd") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".com") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".cpl") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".ini") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".dll") returned 1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".url") returned -1 [0073.222] lstrcmpiW (lpString1=".ttf", lpString2=".ttf") returned 0 [0073.222] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef999ae4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf24aec9d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xbfc3, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="wgl4_boot.ttf", cAlternateFileName="WGL4_B~1.TTF")) returned 0 [0073.222] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0073.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.223] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="fr-CA", cAlternateFileName="")) returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2=".") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="..") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="...") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="windows") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="$RECYCLE.BIN") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="rsa") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="NTDETECT.COM") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="ntldr") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="MSDOS.SYS") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="IO.SYS") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="boot.ini") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="AUTOEXEC.BAT") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="ntuser.dat") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="desktop.ini") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="CONFIG.SYS") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="RECYCLER") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="BOOTSECT.BAK") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="bootmgr") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="programdata") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="appdata") returned 1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="program files") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="program files (x86)") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="microsoft") returned -1 [0073.223] lstrcmpiW (lpString1="fr-CA", lpString2="sophos") returned -1 [0073.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.224] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-CA\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0073.225] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.225] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc487a0b9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.225] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.225] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.225] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.225] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.226] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.226] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.226] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.226] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.227] CreateFileW (lpFileName="C:\\Boot\\fr-CA\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-ca\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.227] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689740 [0073.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689680 [0073.227] SystemFunction036 (in: RandomBuffer=0x2689740, RandomBufferLength=0x10 | out: RandomBuffer=0x2689740) returned 1 [0073.227] SystemFunction036 (in: RandomBuffer=0x2689680, RandomBufferLength=0x10 | out: RandomBuffer=0x2689680) returned 1 [0073.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687ac0 [0073.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688300 [0073.227] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687ac0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2687ac0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.227] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688300*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688300*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.227] GetTickCount () returned 0x1153a37 [0073.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.227] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.227] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.228] SetLastError (dwErrCode=0x0) [0073.228] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2687ac0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.228] GetLastError () returned 0x6 [0073.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.228] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x209949ab, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.228] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0073.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.228] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="fr-FR", cAlternateFileName="")) returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2=".") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="..") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="...") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="windows") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="$RECYCLE.BIN") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="rsa") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="NTDETECT.COM") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="ntldr") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="MSDOS.SYS") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="IO.SYS") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="boot.ini") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="AUTOEXEC.BAT") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="ntuser.dat") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="desktop.ini") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="CONFIG.SYS") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="RECYCLER") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="BOOTSECT.BAK") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="bootmgr") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="programdata") returned -1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="appdata") returned 1 [0073.228] lstrcmpiW (lpString1="fr-FR", lpString2="program files") returned -1 [0073.229] lstrcmpiW (lpString1="fr-FR", lpString2="program files (x86)") returned -1 [0073.229] lstrcmpiW (lpString1="fr-FR", lpString2="microsoft") returned -1 [0073.229] lstrcmpiW (lpString1="fr-FR", lpString2="sophos") returned -1 [0073.229] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.229] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.229] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.229] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.229] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.229] FindFirstFileW (in: lpFileName="C:\\Boot\\fr-FR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2688 [0073.229] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.229] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010bc12, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ade2b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.229] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.229] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.229] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2096e751, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13558, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.229] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.230] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.230] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.230] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.230] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.230] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.230] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\bootmgr.exe.mui" (normalized: "c:\\boot\\fr-fr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.231] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689650 [0073.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26896f8 [0073.231] SystemFunction036 (in: RandomBuffer=0x2689650, RandomBufferLength=0x10 | out: RandomBuffer=0x2689650) returned 1 [0073.231] SystemFunction036 (in: RandomBuffer=0x26896f8, RandomBufferLength=0x10 | out: RandomBuffer=0x26896f8) returned 1 [0073.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26880f0 [0073.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26878b0 [0073.231] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26880f0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26880f0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.231] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26878b0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26878b0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.231] GetTickCount () returned 0x1153a37 [0073.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.231] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.231] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.231] SetLastError (dwErrCode=0x0) [0073.231] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26880f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.231] GetLastError () returned 0x6 [0073.231] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.231] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.231] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.232] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.232] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.232] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.233] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.233] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.233] CreateFileW (lpFileName="C:\\Boot\\fr-FR\\memtest.exe.mui" (normalized: "c:\\boot\\fr-fr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.233] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689788 [0073.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689818 [0073.233] SystemFunction036 (in: RandomBuffer=0x2689788, RandomBufferLength=0x10 | out: RandomBuffer=0x2689788) returned 1 [0073.233] SystemFunction036 (in: RandomBuffer=0x2689818, RandomBufferLength=0x10 | out: RandomBuffer=0x2689818) returned 1 [0073.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687ee0 [0073.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688930 [0073.234] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687ee0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2687ee0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.234] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688930*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688930*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.234] GetTickCount () returned 0x1153a37 [0073.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.234] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.234] SetLastError (dwErrCode=0x0) [0073.234] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2687ee0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.234] GetLastError () returned 0x6 [0073.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.234] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ade2b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.234] FindClose (in: hFindFile=0xbe2688 | out: hFindFile=0xbe2688) returned 1 [0073.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.235] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.235] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="hr-HR", cAlternateFileName="")) returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2=".") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="..") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="...") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="windows") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="$RECYCLE.BIN") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="rsa") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="NTDETECT.COM") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="ntldr") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="MSDOS.SYS") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="IO.SYS") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="boot.ini") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="AUTOEXEC.BAT") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="ntuser.dat") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="desktop.ini") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="CONFIG.SYS") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="RECYCLER") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="BOOTSECT.BAK") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="bootmgr") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="programdata") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="appdata") returned 1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="program files") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="program files (x86)") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="microsoft") returned -1 [0073.235] lstrcmpiW (lpString1="hr-HR", lpString2="sophos") returned -1 [0073.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.235] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.235] FindFirstFileW (in: lpFileName="C:\\Boot\\hr-HR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0073.236] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.236] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48a0490, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.236] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.236] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.236] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.236] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.236] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.236] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.236] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.237] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.237] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.237] CreateFileW (lpFileName="C:\\Boot\\hr-HR\\bootmgr.exe.mui" (normalized: "c:\\boot\\hr-hr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.237] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689608 [0073.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689638 [0073.237] SystemFunction036 (in: RandomBuffer=0x2689608, RandomBufferLength=0x10 | out: RandomBuffer=0x2689608) returned 1 [0073.237] SystemFunction036 (in: RandomBuffer=0x2689638, RandomBufferLength=0x10 | out: RandomBuffer=0x2689638) returned 1 [0073.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688b40 [0073.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26877a8 [0073.237] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688b40*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688b40*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.238] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26877a8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x26877a8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.238] GetTickCount () returned 0x1153a37 [0073.238] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.238] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.238] SetLastError (dwErrCode=0x0) [0073.238] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688b40, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.238] GetLastError () returned 0x6 [0073.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.238] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.238] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0073.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.238] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.238] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="hu-HU", cAlternateFileName="")) returned 1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2=".") returned 1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="..") returned 1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="...") returned 1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="windows") returned -1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="$RECYCLE.BIN") returned 1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="rsa") returned -1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="NTDETECT.COM") returned -1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="ntldr") returned -1 [0073.238] lstrcmpiW (lpString1="hu-HU", lpString2="MSDOS.SYS") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="IO.SYS") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="boot.ini") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="AUTOEXEC.BAT") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="ntuser.dat") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="desktop.ini") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="CONFIG.SYS") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="RECYCLER") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="BOOTSECT.BAK") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="bootmgr") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="programdata") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="appdata") returned 1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="program files") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="program files (x86)") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="microsoft") returned -1 [0073.239] lstrcmpiW (lpString1="hu-HU", lpString2="sophos") returned -1 [0073.239] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.239] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.239] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.239] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.239] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.239] FindFirstFileW (in: lpFileName="C:\\Boot\\hu-HU\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0073.239] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.239] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010c5ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5c171b, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.239] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.239] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.239] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13360, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.239] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.240] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.240] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.240] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.240] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.240] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.241] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.241] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.241] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.241] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\bootmgr.exe.mui" (normalized: "c:\\boot\\hu-hu\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.241] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.241] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26895a8 [0073.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689698 [0073.242] SystemFunction036 (in: RandomBuffer=0x26895a8, RandomBufferLength=0x10 | out: RandomBuffer=0x26895a8) returned 1 [0073.242] SystemFunction036 (in: RandomBuffer=0x2689698, RandomBufferLength=0x10 | out: RandomBuffer=0x2689698) returned 1 [0073.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26881f8 [0073.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689068 [0073.242] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26881f8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26881f8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.242] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689068*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2689068*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.242] GetTickCount () returned 0x1153a46 [0073.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.242] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.242] SetLastError (dwErrCode=0x0) [0073.242] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26881f8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.242] GetLastError () returned 0x6 [0073.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.242] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.242] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.242] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.242] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.242] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.243] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.243] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.243] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.243] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.244] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.244] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.244] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.244] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.244] CreateFileW (lpFileName="C:\\Boot\\hu-HU\\memtest.exe.mui" (normalized: "c:\\boot\\hu-hu\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.244] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26896e0 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26895c0 [0073.244] SystemFunction036 (in: RandomBuffer=0x26896e0, RandomBufferLength=0x10 | out: RandomBuffer=0x26896e0) returned 1 [0073.244] SystemFunction036 (in: RandomBuffer=0x26895c0, RandomBufferLength=0x10 | out: RandomBuffer=0x26895c0) returned 1 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688d50 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687bc8 [0073.244] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688d50*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688d50*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.244] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687bc8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2687bc8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.244] GetTickCount () returned 0x1153a46 [0073.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.244] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.245] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.245] SetLastError (dwErrCode=0x0) [0073.245] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688d50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.245] GetLastError () returned 0x6 [0073.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.245] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5c171b, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39d81d8, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb398, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.245] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0073.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.245] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="it-IT", cAlternateFileName="")) returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2=".") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="..") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="...") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="windows") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="$RECYCLE.BIN") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="rsa") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="NTDETECT.COM") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="ntldr") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="MSDOS.SYS") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="IO.SYS") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="boot.ini") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="AUTOEXEC.BAT") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="ntuser.dat") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="desktop.ini") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="CONFIG.SYS") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="RECYCLER") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="BOOTSECT.BAK") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="bootmgr") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="programdata") returned -1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="appdata") returned 1 [0073.245] lstrcmpiW (lpString1="it-IT", lpString2="program files") returned -1 [0073.246] lstrcmpiW (lpString1="it-IT", lpString2="program files (x86)") returned -1 [0073.246] lstrcmpiW (lpString1="it-IT", lpString2="microsoft") returned -1 [0073.246] lstrcmpiW (lpString1="it-IT", lpString2="sophos") returned -1 [0073.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.246] FindFirstFileW (in: lpFileName="C:\\Boot\\it-IT\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.246] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.246] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010ccad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5d8ab4, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.246] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.246] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.246] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48a0490, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.246] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.247] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.247] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.247] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.247] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.247] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.247] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.247] CreateFileW (lpFileName="C:\\Boot\\it-IT\\bootmgr.exe.mui" (normalized: "c:\\boot\\it-it\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.248] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26897e8 [0073.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689770 [0073.248] SystemFunction036 (in: RandomBuffer=0x26897e8, RandomBufferLength=0x10 | out: RandomBuffer=0x26897e8) returned 1 [0073.248] SystemFunction036 (in: RandomBuffer=0x2689770, RandomBufferLength=0x10 | out: RandomBuffer=0x2689770) returned 1 [0073.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688618 [0073.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688a38 [0073.248] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688618*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688618*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.248] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688a38*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688a38*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.248] GetTickCount () returned 0x1153a46 [0073.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.248] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.248] SetLastError (dwErrCode=0x0) [0073.248] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688618, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.248] GetLastError () returned 0x6 [0073.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.248] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.249] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.249] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.249] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.249] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.250] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.250] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.250] CreateFileW (lpFileName="C:\\Boot\\it-IT\\memtest.exe.mui" (normalized: "c:\\boot\\it-it\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.250] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689830 [0073.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689710 [0073.251] SystemFunction036 (in: RandomBuffer=0x2689830, RandomBufferLength=0x10 | out: RandomBuffer=0x2689830) returned 1 [0073.251] SystemFunction036 (in: RandomBuffer=0x2689710, RandomBufferLength=0x10 | out: RandomBuffer=0x2689710) returned 1 [0073.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688e58 [0073.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688510 [0073.251] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688e58*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688e58*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.251] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688510*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688510*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.251] GetTickCount () returned 0x1153a46 [0073.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.251] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.251] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.251] SetLastError (dwErrCode=0x0) [0073.251] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688e58, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.251] GetLastError () returned 0x6 [0073.251] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.251] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48a0490, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5d8ab4, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf30285aa, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.251] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.252] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.252] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.252] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.252] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="ja-JP", cAlternateFileName="")) returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2=".") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="..") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="...") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="windows") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="$RECYCLE.BIN") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="rsa") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="NTDETECT.COM") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="ntldr") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="MSDOS.SYS") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="IO.SYS") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="boot.ini") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="AUTOEXEC.BAT") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="ntuser.dat") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="desktop.ini") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="CONFIG.SYS") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="RECYCLER") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="BOOTSECT.BAK") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="bootmgr") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="programdata") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="appdata") returned 1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="program files") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="program files (x86)") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="microsoft") returned -1 [0073.252] lstrcmpiW (lpString1="ja-JP", lpString2="sophos") returned -1 [0073.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.252] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.252] FindFirstFileW (in: lpFileName="C:\\Boot\\ja-JP\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0073.253] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.253] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010d0c0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef5ed6c6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.253] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.253] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.253] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48c6596, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10760, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.253] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.254] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.254] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.254] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.254] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.254] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\bootmgr.exe.mui" (normalized: "c:\\boot\\ja-jp\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.254] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689728 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26895d8 [0073.254] SystemFunction036 (in: RandomBuffer=0x2689728, RandomBufferLength=0x10 | out: RandomBuffer=0x2689728) returned 1 [0073.254] SystemFunction036 (in: RandomBuffer=0x26895d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26895d8) returned 1 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688720 [0073.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688f60 [0073.254] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688720*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2688720*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.255] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688f60*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688f60*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.255] GetTickCount () returned 0x1153a46 [0073.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.255] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.255] SetLastError (dwErrCode=0x0) [0073.255] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2688720, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.255] GetLastError () returned 0x6 [0073.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.255] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.255] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.295] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.295] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.296] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.296] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.296] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.296] CreateFileW (lpFileName="C:\\Boot\\ja-JP\\memtest.exe.mui" (normalized: "c:\\boot\\ja-jp\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.296] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26896c8 [0073.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689758 [0073.296] SystemFunction036 (in: RandomBuffer=0x26896c8, RandomBufferLength=0x10 | out: RandomBuffer=0x26896c8) returned 1 [0073.296] SystemFunction036 (in: RandomBuffer=0x2689758, RandomBufferLength=0x10 | out: RandomBuffer=0x2689758) returned 1 [0073.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689170 [0073.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2688408 [0073.296] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689170*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689170*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.297] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2688408*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2688408*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.297] GetTickCount () returned 0x1153a75 [0073.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.297] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.297] SetLastError (dwErrCode=0x0) [0073.297] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689170, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.297] GetLastError () returned 0x6 [0073.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.297] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5ed6c6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf300233f, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa798, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.297] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0073.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.297] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="ko-KR", cAlternateFileName="")) returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2=".") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="..") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="...") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="windows") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="$RECYCLE.BIN") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="rsa") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="NTDETECT.COM") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="ntldr") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="MSDOS.SYS") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="IO.SYS") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="boot.ini") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="AUTOEXEC.BAT") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="ntuser.dat") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="desktop.ini") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="CONFIG.SYS") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="RECYCLER") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="BOOTSECT.BAK") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="bootmgr") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="programdata") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="appdata") returned 1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="program files") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="program files (x86)") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="microsoft") returned -1 [0073.298] lstrcmpiW (lpString1="ko-KR", lpString2="sophos") returned -1 [0073.298] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.298] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.298] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.298] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.298] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.298] FindFirstFileW (in: lpFileName="C:\\Boot\\ko-KR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0073.299] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.299] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48c6596, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef5fc210, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.299] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.299] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.299] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211c6af1, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x10560, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.299] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.300] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.300] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.300] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.300] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.301] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\bootmgr.exe.mui" (normalized: "c:\\boot\\ko-kr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.301] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.301] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26897a0 [0073.301] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689848 [0073.301] SystemFunction036 (in: RandomBuffer=0x26897a0, RandomBufferLength=0x10 | out: RandomBuffer=0x26897a0) returned 1 [0073.301] SystemFunction036 (in: RandomBuffer=0x2689848, RandomBufferLength=0x10 | out: RandomBuffer=0x2689848) returned 1 [0073.301] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26879b8 [0073.301] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689380 [0073.301] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26879b8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x26879b8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.301] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689380*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2689380*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.301] GetTickCount () returned 0x1153a75 [0073.301] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.301] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.301] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.301] SetLastError (dwErrCode=0x0) [0073.301] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26879b8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.302] GetLastError () returned 0x6 [0073.302] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.302] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.302] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.302] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.302] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.302] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.302] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.302] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.303] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.303] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.303] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.303] CreateFileW (lpFileName="C:\\Boot\\ko-KR\\memtest.exe.mui" (normalized: "c:\\boot\\ko-kr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.303] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.303] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26897b8 [0073.303] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26897d0 [0073.303] SystemFunction036 (in: RandomBuffer=0x26897b8, RandomBufferLength=0x10 | out: RandomBuffer=0x26897b8) returned 1 [0073.303] SystemFunction036 (in: RandomBuffer=0x26897d0, RandomBufferLength=0x10 | out: RandomBuffer=0x26897d0) returned 1 [0073.303] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2687cd0 [0073.303] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a608 [0073.303] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2687cd0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2687cd0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.304] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a608*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a608*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.304] GetTickCount () returned 0x1153a85 [0073.304] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.304] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.304] SetLastError (dwErrCode=0x0) [0073.304] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2687cd0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.304] GetLastError () returned 0x6 [0073.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.304] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef5fc210, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fdc0d7, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa7a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.304] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0073.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.304] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="lt-LT", cAlternateFileName="")) returned 1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2=".") returned 1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="..") returned 1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="...") returned 1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="windows") returned -1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="$RECYCLE.BIN") returned 1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="rsa") returned -1 [0073.304] lstrcmpiW (lpString1="lt-LT", lpString2="NTDETECT.COM") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="ntldr") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="MSDOS.SYS") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="IO.SYS") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="boot.ini") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="AUTOEXEC.BAT") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="ntuser.dat") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="desktop.ini") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="CONFIG.SYS") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="RECYCLER") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="BOOTSECT.BAK") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="bootmgr") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="programdata") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="appdata") returned 1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="program files") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="program files (x86)") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="microsoft") returned -1 [0073.305] lstrcmpiW (lpString1="lt-LT", lpString2="sophos") returned -1 [0073.305] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.305] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.305] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.305] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.305] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.305] FindFirstFileW (in: lpFileName="C:\\Boot\\lt-LT\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.305] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.305] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.305] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.305] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.305] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.305] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.305] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.306] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.306] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.306] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.306] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.306] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.307] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.307] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.307] CreateFileW (lpFileName="C:\\Boot\\lt-LT\\bootmgr.exe.mui" (normalized: "c:\\boot\\lt-lt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.307] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689800 [0073.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689860 [0073.307] SystemFunction036 (in: RandomBuffer=0x2689800, RandomBufferLength=0x10 | out: RandomBuffer=0x2689800) returned 1 [0073.307] SystemFunction036 (in: RandomBuffer=0x2689860, RandomBufferLength=0x10 | out: RandomBuffer=0x2689860) returned 1 [0073.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268af50 [0073.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a920 [0073.307] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268af50*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268af50*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.308] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a920*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a920*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.308] GetTickCount () returned 0x1153a85 [0073.308] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.308] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.308] SetLastError (dwErrCode=0x0) [0073.308] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268af50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.308] GetLastError () returned 0x6 [0073.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.308] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.308] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.308] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="lv-LV", cAlternateFileName="")) returned 1 [0073.308] lstrcmpiW (lpString1="lv-LV", lpString2=".") returned 1 [0073.308] lstrcmpiW (lpString1="lv-LV", lpString2="..") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="...") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="windows") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="$RECYCLE.BIN") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="rsa") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="NTDETECT.COM") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="ntldr") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="MSDOS.SYS") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="IO.SYS") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="boot.ini") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="AUTOEXEC.BAT") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="ntuser.dat") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="desktop.ini") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="CONFIG.SYS") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="RECYCLER") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="BOOTSECT.BAK") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="bootmgr") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="programdata") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="appdata") returned 1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="program files") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="program files (x86)") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="microsoft") returned -1 [0073.309] lstrcmpiW (lpString1="lv-LV", lpString2="sophos") returned -1 [0073.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.309] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.309] FindFirstFileW (in: lpFileName="C:\\Boot\\lv-LV\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.310] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc48ec805, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.310] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.310] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.310] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.310] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.310] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.310] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.310] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.310] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.310] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.311] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.311] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.311] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.311] CreateFileW (lpFileName="C:\\Boot\\lv-LV\\bootmgr.exe.mui" (normalized: "c:\\boot\\lv-lv\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.311] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.311] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26898f0 [0073.311] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689908 [0073.311] SystemFunction036 (in: RandomBuffer=0x26898f0, RandomBufferLength=0x10 | out: RandomBuffer=0x26898f0) returned 1 [0073.311] SystemFunction036 (in: RandomBuffer=0x2689908, RandomBufferLength=0x10 | out: RandomBuffer=0x2689908) returned 1 [0073.311] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a500 [0073.311] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b058 [0073.311] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a500*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268a500*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.312] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b058*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268b058*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.312] GetTickCount () returned 0x1153a85 [0073.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.312] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.312] SetLastError (dwErrCode=0x0) [0073.312] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268a500, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.312] GetLastError () returned 0x6 [0073.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.312] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc48ec805, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2117a634, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12758, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.312] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.312] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc48ec805, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6196d8, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbcf473f, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xc63a0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="memtest.exe", cAlternateFileName="")) returned 1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2=".") returned 1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="..") returned 1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="...") returned 1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="windows") returned -1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="$RECYCLE.BIN") returned 1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="rsa") returned -1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="NTDETECT.COM") returned -1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="ntldr") returned -1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="MSDOS.SYS") returned -1 [0073.312] lstrcmpiW (lpString1="memtest.exe", lpString2="IO.SYS") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="boot.ini") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="AUTOEXEC.BAT") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="ntuser.dat") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="desktop.ini") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="CONFIG.SYS") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="RECYCLER") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="BOOTSECT.BAK") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="bootmgr") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="programdata") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="appdata") returned 1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="program files") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="program files (x86)") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="microsoft") returned -1 [0073.313] lstrcmpiW (lpString1="memtest.exe", lpString2="sophos") returned -1 [0073.313] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.313] PathFindExtensionW (pszPath="memtest.exe") returned=".exe" [0073.313] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0073.313] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="nb-NO", cAlternateFileName="")) returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2=".") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="..") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="...") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="windows") returned -1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="$RECYCLE.BIN") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="rsa") returned -1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="NTDETECT.COM") returned -1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="ntldr") returned -1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="MSDOS.SYS") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="IO.SYS") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="boot.ini") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="AUTOEXEC.BAT") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="ntuser.dat") returned -1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="desktop.ini") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="CONFIG.SYS") returned 1 [0073.313] lstrcmpiW (lpString1="nb-NO", lpString2="RECYCLER") returned -1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="BOOTSECT.BAK") returned 1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="bootmgr") returned 1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="programdata") returned -1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="appdata") returned 1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="program files") returned -1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="program files (x86)") returned -1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="microsoft") returned 1 [0073.314] lstrcmpiW (lpString1="nb-NO", lpString2="sophos") returned -1 [0073.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.314] FindFirstFileW (in: lpFileName="C:\\Boot\\nb-NO\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0073.315] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.315] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e138, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef62cf52, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.315] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.315] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.315] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12760, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.315] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.315] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.315] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.316] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.316] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.316] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\bootmgr.exe.mui" (normalized: "c:\\boot\\nb-no\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.316] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26898c0 [0073.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26898d8 [0073.316] SystemFunction036 (in: RandomBuffer=0x26898c0, RandomBufferLength=0x10 | out: RandomBuffer=0x26898c0) returned 1 [0073.316] SystemFunction036 (in: RandomBuffer=0x26898d8, RandomBufferLength=0x10 | out: RandomBuffer=0x26898d8) returned 1 [0073.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689bb8 [0073.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689ab0 [0073.316] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689bb8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689bb8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.317] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689ab0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2689ab0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.317] GetTickCount () returned 0x1153a85 [0073.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.317] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.317] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.317] SetLastError (dwErrCode=0x0) [0073.317] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689bb8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.317] GetLastError () returned 0x6 [0073.317] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.317] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.317] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.318] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.318] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.318] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.318] CreateFileW (lpFileName="C:\\Boot\\nb-NO\\memtest.exe.mui" (normalized: "c:\\boot\\nb-no\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.319] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689920 [0073.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689950 [0073.319] SystemFunction036 (in: RandomBuffer=0x2689920, RandomBufferLength=0x10 | out: RandomBuffer=0x2689920) returned 1 [0073.319] SystemFunction036 (in: RandomBuffer=0x2689950, RandomBufferLength=0x10 | out: RandomBuffer=0x2689950) returned 1 [0073.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ae48 [0073.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ac38 [0073.319] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ae48*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268ae48*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.319] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ac38*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268ac38*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.319] GetTickCount () returned 0x1153a94 [0073.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.319] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.319] SetLastError (dwErrCode=0x0) [0073.319] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268ae48, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.319] GetLastError () returned 0x6 [0073.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.320] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef62cf52, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.320] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0073.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.320] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="nl-NL", cAlternateFileName="")) returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2=".") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="..") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="...") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="windows") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="$RECYCLE.BIN") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="rsa") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="NTDETECT.COM") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="ntldr") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="MSDOS.SYS") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="IO.SYS") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="boot.ini") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="AUTOEXEC.BAT") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="ntuser.dat") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="desktop.ini") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="CONFIG.SYS") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="RECYCLER") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="BOOTSECT.BAK") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="bootmgr") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="programdata") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="appdata") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="program files") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="program files (x86)") returned -1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="microsoft") returned 1 [0073.320] lstrcmpiW (lpString1="nl-NL", lpString2="sophos") returned -1 [0073.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.321] FindFirstFileW (in: lpFileName="C:\\Boot\\nl-NL\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a88 [0073.321] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.321] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010e4fa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6407cf, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.321] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x211543da, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.321] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.322] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.322] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.322] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.322] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.322] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.322] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\bootmgr.exe.mui" (normalized: "c:\\boot\\nl-nl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.323] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x26898a8 [0073.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689968 [0073.323] SystemFunction036 (in: RandomBuffer=0x26898a8, RandomBufferLength=0x10 | out: RandomBuffer=0x26898a8) returned 1 [0073.323] SystemFunction036 (in: RandomBuffer=0x2689968, RandomBufferLength=0x10 | out: RandomBuffer=0x2689968) returned 1 [0073.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689fd8 [0073.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ad40 [0073.323] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689fd8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689fd8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.323] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ad40*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268ad40*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.323] GetTickCount () returned 0x1153a94 [0073.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.324] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.324] SetLastError (dwErrCode=0x0) [0073.324] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689fd8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.324] GetLastError () returned 0x6 [0073.324] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.324] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.324] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.324] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.324] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.325] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.325] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.325] CreateFileW (lpFileName="C:\\Boot\\nl-NL\\memtest.exe.mui" (normalized: "c:\\boot\\nl-nl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.325] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x2689938 [0073.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc58 [0073.325] SystemFunction036 (in: RandomBuffer=0x2689938, RandomBufferLength=0x10 | out: RandomBuffer=0x2689938) returned 1 [0073.325] SystemFunction036 (in: RandomBuffer=0x268bc58, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc58) returned 1 [0073.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689cc0 [0073.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a3f8 [0073.325] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689cc0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689cc0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.326] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a3f8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a3f8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.326] GetTickCount () returned 0x1153a94 [0073.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.326] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.326] SetLastError (dwErrCode=0x0) [0073.326] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689cc0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.326] GetLastError () returned 0x6 [0073.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.326] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6407cf, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2fb5e6c, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.326] FindClose (in: hFindFile=0xbe2a88 | out: hFindFile=0xbe2a88) returned 1 [0073.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.326] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="pl-PL", cAlternateFileName="")) returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2=".") returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="..") returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="...") returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="windows") returned -1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="$RECYCLE.BIN") returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="rsa") returned -1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="NTDETECT.COM") returned 1 [0073.326] lstrcmpiW (lpString1="pl-PL", lpString2="ntldr") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="MSDOS.SYS") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="IO.SYS") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="boot.ini") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="AUTOEXEC.BAT") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="ntuser.dat") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="desktop.ini") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="CONFIG.SYS") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="RECYCLER") returned -1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="BOOTSECT.BAK") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="bootmgr") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="programdata") returned -1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="appdata") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="program files") returned -1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="program files (x86)") returned -1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="microsoft") returned 1 [0073.327] lstrcmpiW (lpString1="pl-PL", lpString2="sophos") returned -1 [0073.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.327] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.327] FindFirstFileW (in: lpFileName="C:\\Boot\\pl-PL\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2808 [0073.327] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.327] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef65403a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.327] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.327] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.327] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12f58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.327] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.328] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.328] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.328] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.328] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.329] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.329] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.329] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.329] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.329] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\bootmgr.exe.mui" (normalized: "c:\\boot\\pl-pl\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.329] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba00 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba18 [0073.329] SystemFunction036 (in: RandomBuffer=0x268ba00, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba00) returned 1 [0073.329] SystemFunction036 (in: RandomBuffer=0x268ba18, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba18) returned 1 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268aa28 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689dc8 [0073.329] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268aa28*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268aa28*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.329] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689dc8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x2689dc8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.329] GetTickCount () returned 0x1153a94 [0073.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.329] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.330] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.330] SetLastError (dwErrCode=0x0) [0073.330] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268aa28, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.330] GetLastError () returned 0x6 [0073.330] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.330] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.330] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.330] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.330] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.330] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.330] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.331] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.331] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.331] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.331] CreateFileW (lpFileName="C:\\Boot\\pl-PL\\memtest.exe.mui" (normalized: "c:\\boot\\pl-pl\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.415] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba48 [0073.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba90 [0073.415] SystemFunction036 (in: RandomBuffer=0x268ba48, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba48) returned 1 [0073.415] SystemFunction036 (in: RandomBuffer=0x268ba90, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba90) returned 1 [0073.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a1e8 [0073.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a2f0 [0073.415] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a1e8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268a1e8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.416] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a2f0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a2f0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.417] GetTickCount () returned 0x1153af2 [0073.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.417] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.418] SetLastError (dwErrCode=0x0) [0073.418] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268a1e8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.418] GetLastError () returned 0x6 [0073.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.418] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65403a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.418] FindClose (in: hFindFile=0xbe2808 | out: hFindFile=0xbe2808) returned 1 [0073.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.418] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="pt-BR", cAlternateFileName="")) returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2=".") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="..") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="...") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="windows") returned -1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="$RECYCLE.BIN") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="rsa") returned -1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="NTDETECT.COM") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="ntldr") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="MSDOS.SYS") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="IO.SYS") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="boot.ini") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="AUTOEXEC.BAT") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="ntuser.dat") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="desktop.ini") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="CONFIG.SYS") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="RECYCLER") returned -1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="BOOTSECT.BAK") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="bootmgr") returned 1 [0073.418] lstrcmpiW (lpString1="pt-BR", lpString2="programdata") returned 1 [0073.419] lstrcmpiW (lpString1="pt-BR", lpString2="appdata") returned 1 [0073.419] lstrcmpiW (lpString1="pt-BR", lpString2="program files") returned 1 [0073.419] lstrcmpiW (lpString1="pt-BR", lpString2="program files (x86)") returned 1 [0073.419] lstrcmpiW (lpString1="pt-BR", lpString2="microsoft") returned 1 [0073.419] lstrcmpiW (lpString1="pt-BR", lpString2="sophos") returned -1 [0073.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.419] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-BR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0073.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.419] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6678d6, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6678d6, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.419] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4912aed, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4912aed, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.419] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.420] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.420] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.420] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.420] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.420] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-br\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.421] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb98 [0073.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba60 [0073.421] SystemFunction036 (in: RandomBuffer=0x268bb98, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb98) returned 1 [0073.421] SystemFunction036 (in: RandomBuffer=0x268ba60, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba60) returned 1 [0073.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b160 [0073.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b790 [0073.421] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b160*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268b160*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.422] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b790*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268b790*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.423] GetTickCount () returned 0x1153af2 [0073.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.423] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.423] SetLastError (dwErrCode=0x0) [0073.423] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268b160, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.423] GetLastError () returned 0x6 [0073.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.423] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.423] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.424] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.424] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.424] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.425] CreateFileW (lpFileName="C:\\Boot\\pt-BR\\memtest.exe.mui" (normalized: "c:\\boot\\pt-br\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.425] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba30 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bca0 [0073.425] SystemFunction036 (in: RandomBuffer=0x268ba30, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba30) returned 1 [0073.425] SystemFunction036 (in: RandomBuffer=0x268bca0, RandomBufferLength=0x10 | out: RandomBuffer=0x268bca0) returned 1 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a710 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a0e0 [0073.425] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a710*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268a710*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.425] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a0e0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a0e0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.425] GetTickCount () returned 0x1153af2 [0073.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.425] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.425] SetLastError (dwErrCode=0x0) [0073.425] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268a710, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.426] GetLastError () returned 0x6 [0073.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.426] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef65dc94, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.426] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0073.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.426] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="pt-PT", cAlternateFileName="")) returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2=".") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="..") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="...") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="windows") returned -1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="$RECYCLE.BIN") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="rsa") returned -1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="NTDETECT.COM") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="ntldr") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="MSDOS.SYS") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="IO.SYS") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="boot.ini") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="AUTOEXEC.BAT") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="ntuser.dat") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="desktop.ini") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="CONFIG.SYS") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="RECYCLER") returned -1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="BOOTSECT.BAK") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="bootmgr") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="programdata") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="appdata") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="program files") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="program files (x86)") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="microsoft") returned 1 [0073.426] lstrcmpiW (lpString1="pt-PT", lpString2="sophos") returned -1 [0073.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.427] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.427] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.427] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.427] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.427] FindFirstFileW (in: lpFileName="C:\\Boot\\pt-PT\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2688 [0073.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.427] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f167, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6714dc, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.428] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.428] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2112e17f, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.428] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.428] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.428] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.428] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.428] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.428] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.429] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.429] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.429] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\bootmgr.exe.mui" (normalized: "c:\\boot\\pt-pt\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.429] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bac0 [0073.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bad8 [0073.429] SystemFunction036 (in: RandomBuffer=0x268bac0, RandomBufferLength=0x10 | out: RandomBuffer=0x268bac0) returned 1 [0073.429] SystemFunction036 (in: RandomBuffer=0x268bad8, RandomBufferLength=0x10 | out: RandomBuffer=0x268bad8) returned 1 [0073.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b478 [0073.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268a818 [0073.429] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b478*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268b478*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.430] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268a818*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268a818*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.430] GetTickCount () returned 0x1153b02 [0073.430] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.430] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.430] SetLastError (dwErrCode=0x0) [0073.430] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268b478, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.430] GetLastError () returned 0x6 [0073.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.430] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.430] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.431] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.431] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.431] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.431] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.431] CreateFileW (lpFileName="C:\\Boot\\pt-PT\\memtest.exe.mui" (normalized: "c:\\boot\\pt-pt\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.431] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc70 [0073.432] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb50 [0073.432] SystemFunction036 (in: RandomBuffer=0x268bc70, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc70) returned 1 [0073.432] SystemFunction036 (in: RandomBuffer=0x268bb50, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb50) returned 1 [0073.432] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x2689ed0 [0073.432] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ab30 [0073.432] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2689ed0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x2689ed0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.432] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ab30*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268ab30*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.433] GetTickCount () returned 0x1153b02 [0073.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.433] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.433] SetLastError (dwErrCode=0x0) [0073.433] WriteFile (in: hFile=0xffffffff, lpBuffer=0x2689ed0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.433] GetLastError () returned 0x6 [0073.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.433] FindNextFileW (in: hFindFile=0xbe2688, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6714dc, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f8fc0d, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb3a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.433] FindClose (in: hFindFile=0xbe2688 | out: hFindFile=0xbe2688) returned 1 [0073.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.433] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="qps-ploc", cAlternateFileName="")) returned 1 [0073.433] lstrcmpiW (lpString1="qps-ploc", lpString2=".") returned 1 [0073.433] lstrcmpiW (lpString1="qps-ploc", lpString2="..") returned 1 [0073.433] lstrcmpiW (lpString1="qps-ploc", lpString2="...") returned 1 [0073.433] lstrcmpiW (lpString1="qps-ploc", lpString2="windows") returned -1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="$RECYCLE.BIN") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="rsa") returned -1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="NTDETECT.COM") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="ntldr") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="MSDOS.SYS") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="IO.SYS") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="boot.ini") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="AUTOEXEC.BAT") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="ntuser.dat") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="desktop.ini") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="CONFIG.SYS") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="RECYCLER") returned -1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="BOOTSECT.BAK") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="bootmgr") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="programdata") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="appdata") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="program files") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="program files (x86)") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="microsoft") returned 1 [0073.434] lstrcmpiW (lpString1="qps-ploc", lpString2="sophos") returned -1 [0073.434] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.434] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.434] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.434] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.434] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.434] FindFirstFileW (in: lpFileName="C:\\Boot\\qps-ploc\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2ac8 [0073.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.434] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa010f640, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef684d85, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.434] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12160, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.435] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680528 [0073.435] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.435] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.435] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.436] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.436] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0073.436] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\bootmgr.exe.mui" (normalized: "c:\\boot\\qps-ploc\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.436] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc28 [0073.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ba78 [0073.436] SystemFunction036 (in: RandomBuffer=0x268bc28, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc28) returned 1 [0073.436] SystemFunction036 (in: RandomBuffer=0x268ba78, RandomBufferLength=0x10 | out: RandomBuffer=0x268ba78) returned 1 [0073.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b268 [0073.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b370 [0073.437] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b268*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268b268*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.438] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b370*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268b370*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.440] GetTickCount () returned 0x1153b02 [0073.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.440] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.440] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.440] SetLastError (dwErrCode=0x0) [0073.440] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268b268, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.440] GetLastError () returned 0x6 [0073.440] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.440] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.440] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0073.441] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680528 | out: hHeap=0x2680000) returned 1 [0073.441] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.441] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.441] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804f0 [0073.441] CreateFileW (lpFileName="C:\\Boot\\qps-ploc\\memtest.exe.mui" (normalized: "c:\\boot\\qps-ploc\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.441] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268baa8 [0073.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268baf0 [0073.441] SystemFunction036 (in: RandomBuffer=0x268baa8, RandomBufferLength=0x10 | out: RandomBuffer=0x268baa8) returned 1 [0073.441] SystemFunction036 (in: RandomBuffer=0x268baf0, RandomBufferLength=0x10 | out: RandomBuffer=0x268baf0) returned 1 [0073.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b580 [0073.441] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268b688 [0073.441] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b580*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268b580*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.442] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268b688*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268b688*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.443] GetTickCount () returned 0x1153b02 [0073.443] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680548 [0073.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0073.443] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.443] SetLastError (dwErrCode=0x0) [0073.443] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268b580, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.443] GetLastError () returned 0x6 [0073.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.443] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef684d85, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfbd1a998, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0xd398, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.443] FindClose (in: hFindFile=0xbe2ac8 | out: hFindFile=0xbe2ac8) returned 1 [0073.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.443] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.443] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="Resources", cAlternateFileName="RESOUR~1")) returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2=".") returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="..") returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="...") returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="windows") returned -1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="$RECYCLE.BIN") returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="rsa") returned -1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="NTDETECT.COM") returned 1 [0073.443] lstrcmpiW (lpString1="Resources", lpString2="ntldr") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="MSDOS.SYS") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="IO.SYS") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="boot.ini") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="AUTOEXEC.BAT") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="ntuser.dat") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="desktop.ini") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="CONFIG.SYS") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="RECYCLER") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="BOOTSECT.BAK") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="bootmgr") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="programdata") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="appdata") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="program files") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="program files (x86)") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="microsoft") returned 1 [0073.444] lstrcmpiW (lpString1="Resources", lpString2="sophos") returned -1 [0073.444] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.444] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.444] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.444] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.444] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.444] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0073.445] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.445] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ab61e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9abff9, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.445] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.445] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.445] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9abff9, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef597530, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x169a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootres.dll", cAlternateFileName="")) returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2=".") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="..") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="...") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="windows") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="$RECYCLE.BIN") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="rsa") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="NTDETECT.COM") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="ntldr") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="MSDOS.SYS") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="IO.SYS") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="boot.ini") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="AUTOEXEC.BAT") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="ntuser.dat") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="desktop.ini") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="CONFIG.SYS") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="RECYCLER") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="BOOTSECT.BAK") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="bootmgr") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="programdata") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="appdata") returned 1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="program files") returned -1 [0073.445] lstrcmpiW (lpString1="bootres.dll", lpString2="program files (x86)") returned -1 [0073.446] lstrcmpiW (lpString1="bootres.dll", lpString2="microsoft") returned -1 [0073.446] lstrcmpiW (lpString1="bootres.dll", lpString2="sophos") returned -1 [0073.446] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680528 [0073.446] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.446] PathFindExtensionW (pszPath="bootres.dll") returned=".dll" [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0073.446] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0073.446] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2=".") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="..") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="...") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="windows") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="$RECYCLE.BIN") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="rsa") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="NTDETECT.COM") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="ntldr") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="MSDOS.SYS") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="IO.SYS") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="boot.ini") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="AUTOEXEC.BAT") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="ntuser.dat") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="desktop.ini") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="CONFIG.SYS") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="RECYCLER") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="BOOTSECT.BAK") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="bootmgr") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="programdata") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="appdata") returned 1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="program files") returned -1 [0073.446] lstrcmpiW (lpString1="en-US", lpString2="program files (x86)") returned -1 [0073.447] lstrcmpiW (lpString1="en-US", lpString2="microsoft") returned -1 [0073.447] lstrcmpiW (lpString1="en-US", lpString2="sophos") returned -1 [0073.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x268bd90 [0073.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680528 | out: hHeap=0x2680000) returned 1 [0073.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804f0 [0073.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680538 [0073.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bde0 [0073.447] FindFirstFileW (in: lpFileName="C:\\Boot\\Resources\\en-US\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0073.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.447] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.448] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2=".") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="..") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="...") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="windows") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="rsa") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="NTDETECT.COM") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="ntldr") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="MSDOS.SYS") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="IO.SYS") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="boot.ini") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="ntuser.dat") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="desktop.ini") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="CONFIG.SYS") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="RECYCLER") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="bootmgr") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="programdata") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="appdata") returned 1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="program files") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="program files (x86)") returned -1 [0073.448] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="microsoft") returned -1 [0073.449] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="sophos") returned -1 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be28 [0073.449] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde0 | out: hHeap=0x2680000) returned 1 [0073.449] PathFindExtensionW (pszPath="bootres.dll.mui") returned=".mui" [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.449] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.449] lstrcmpiW (lpString1="bootres.dll.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be80 [0073.449] CreateFileW (lpFileName="C:\\Boot\\Resources\\en-US\\bootres.dll.mui" (normalized: "c:\\boot\\resources\\en-us\\bootres.dll.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.449] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=75031468087965748) returned 0 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb08 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb80 [0073.449] SystemFunction036 (in: RandomBuffer=0x268bb08, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb08) returned 1 [0073.449] SystemFunction036 (in: RandomBuffer=0x268bb80, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb80) returned 1 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x26899a8 [0073.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d9d0 [0073.450] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x26899a8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x26899a8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0073.450] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d9d0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x268d9d0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0073.450] GetTickCount () returned 0x1153b11 [0073.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268bde0 [0073.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde0 | out: hHeap=0x2680000) returned 1 [0073.450] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.450] SetLastError (dwErrCode=0x0) [0073.450] WriteFile (in: hFile=0xffffffff, lpBuffer=0x26899a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0) returned 0 [0073.450] GetLastError () returned 0x6 [0073.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0073.450] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef9baa67, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0x31acad58, ftLastWriteTime.dwHighDateTime=0x1d2a030, nFileSizeHigh=0x0, nFileSizeLow=0x2fa0, dwReserved0=0x0, dwReserved1=0x0, cFileName="bootres.dll.mui", cAlternateFileName="BOOTRE~1.MUI")) returned 0 [0073.450] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0073.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0073.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680538 | out: hHeap=0x2680000) returned 1 [0073.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.581] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4c33ce4, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01ac01e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef9baa67, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 0 [0073.581] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0073.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.582] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="ro-RO", cAlternateFileName="")) returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2=".") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="..") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="...") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="windows") returned -1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="$RECYCLE.BIN") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="rsa") returned -1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="NTDETECT.COM") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="ntldr") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="MSDOS.SYS") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="IO.SYS") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="boot.ini") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="AUTOEXEC.BAT") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="ntuser.dat") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="desktop.ini") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="CONFIG.SYS") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="RECYCLER") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="BOOTSECT.BAK") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="bootmgr") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="programdata") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="appdata") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="program files") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="program files (x86)") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="microsoft") returned 1 [0073.582] lstrcmpiW (lpString1="ro-RO", lpString2="sophos") returned -1 [0073.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.583] FindFirstFileW (in: lpFileName="C:\\Boot\\ro-RO\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0073.583] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.583] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.583] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.583] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.583] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.583] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.584] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.584] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.584] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.585] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.585] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.585] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.585] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.585] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.585] CreateFileW (lpFileName="C:\\Boot\\ro-RO\\bootmgr.exe.mui" (normalized: "c:\\boot\\ro-ro\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.585] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb20 [0073.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc88 [0073.585] SystemFunction036 (in: RandomBuffer=0x268bb20, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb20) returned 1 [0073.585] SystemFunction036 (in: RandomBuffer=0x268bc88, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc88) returned 1 [0073.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d8c8 [0073.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d7c0 [0073.585] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d8c8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268d8c8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.585] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d7c0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268d7c0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.587] GetTickCount () returned 0x1153b9e [0073.587] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.587] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.587] SetLastError (dwErrCode=0x0) [0073.587] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d8c8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.587] GetLastError () returned 0x6 [0073.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.587] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.587] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0073.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.587] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="ru-RU", cAlternateFileName="")) returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2=".") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="..") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="...") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="windows") returned -1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="$RECYCLE.BIN") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="rsa") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="NTDETECT.COM") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="ntldr") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="MSDOS.SYS") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="IO.SYS") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="boot.ini") returned 1 [0073.587] lstrcmpiW (lpString1="ru-RU", lpString2="AUTOEXEC.BAT") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="ntuser.dat") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="desktop.ini") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="CONFIG.SYS") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="RECYCLER") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="BOOTSECT.BAK") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="bootmgr") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="programdata") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="appdata") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="program files") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="program files (x86)") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="microsoft") returned 1 [0073.588] lstrcmpiW (lpString1="ru-RU", lpString2="sophos") returned -1 [0073.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.588] FindFirstFileW (in: lpFileName="C:\\Boot\\ru-RU\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0073.589] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.589] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef698608, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.589] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.589] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.589] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.589] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.590] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.590] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.590] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.590] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.590] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\bootmgr.exe.mui" (normalized: "c:\\boot\\ru-ru\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.590] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bbf8 [0073.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bbc8 [0073.590] SystemFunction036 (in: RandomBuffer=0x268bbf8, RandomBufferLength=0x10 | out: RandomBuffer=0x268bbf8) returned 1 [0073.590] SystemFunction036 (in: RandomBuffer=0x268bbc8, RandomBufferLength=0x10 | out: RandomBuffer=0x268bbc8) returned 1 [0073.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268dad8 [0073.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c008 [0073.590] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268dad8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268dad8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.592] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c008*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268c008*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.593] GetTickCount () returned 0x1153b9e [0073.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.593] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.593] SetLastError (dwErrCode=0x0) [0073.593] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268dad8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.593] GetLastError () returned 0x6 [0073.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.593] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.593] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.594] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.594] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.594] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.594] CreateFileW (lpFileName="C:\\Boot\\ru-RU\\memtest.exe.mui" (normalized: "c:\\boot\\ru-ru\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.594] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb38 [0073.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bb68 [0073.594] SystemFunction036 (in: RandomBuffer=0x268bb38, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb38) returned 1 [0073.594] SystemFunction036 (in: RandomBuffer=0x268bb68, RandomBufferLength=0x10 | out: RandomBuffer=0x268bb68) returned 1 [0073.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d190 [0073.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268dbe0 [0073.595] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d190*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268d190*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.597] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268dbe0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268dbe0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.598] GetTickCount () returned 0x1153b9e [0073.598] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.598] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.598] SetLastError (dwErrCode=0x0) [0073.598] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d190, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.598] GetLastError () returned 0x6 [0073.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.598] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef698608, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xafa0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.598] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0073.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.598] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="sk-SK", cAlternateFileName="")) returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2=".") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="..") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="...") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="windows") returned -1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="$RECYCLE.BIN") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="rsa") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="NTDETECT.COM") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="ntldr") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="MSDOS.SYS") returned 1 [0073.598] lstrcmpiW (lpString1="sk-SK", lpString2="IO.SYS") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="boot.ini") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="AUTOEXEC.BAT") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="ntuser.dat") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="desktop.ini") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="CONFIG.SYS") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="RECYCLER") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="BOOTSECT.BAK") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="bootmgr") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="programdata") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="appdata") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="program files") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="program files (x86)") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="microsoft") returned 1 [0073.599] lstrcmpiW (lpString1="sk-SK", lpString2="sophos") returned -1 [0073.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.599] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.599] FindFirstFileW (in: lpFileName="C:\\Boot\\sk-SK\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0073.599] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.599] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc4938cb0, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.599] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.599] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.599] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.599] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.599] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.599] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.600] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.600] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.600] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.600] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.600] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.601] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.601] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.601] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.601] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.601] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.601] CreateFileW (lpFileName="C:\\Boot\\sk-SK\\bootmgr.exe.mui" (normalized: "c:\\boot\\sk-sk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.601] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.601] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268b9b8 [0073.601] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bbb0 [0073.601] SystemFunction036 (in: RandomBuffer=0x268b9b8, RandomBufferLength=0x10 | out: RandomBuffer=0x268b9b8) returned 1 [0073.601] SystemFunction036 (in: RandomBuffer=0x268bbb0, RandomBufferLength=0x10 | out: RandomBuffer=0x268bbb0) returned 1 [0073.601] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c950 [0073.601] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c320 [0073.601] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c950*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c950*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.603] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c320*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268c320*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.604] GetTickCount () returned 0x1153bae [0073.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.604] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.604] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.604] SetLastError (dwErrCode=0x0) [0073.604] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c950, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.604] GetLastError () returned 0x6 [0073.604] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.604] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4938cb0, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.604] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0073.604] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.604] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.604] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.604] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="sl-SI", cAlternateFileName="")) returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2=".") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="..") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="...") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="windows") returned -1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="$RECYCLE.BIN") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="rsa") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="NTDETECT.COM") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="ntldr") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="MSDOS.SYS") returned 1 [0073.604] lstrcmpiW (lpString1="sl-SI", lpString2="IO.SYS") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="boot.ini") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="AUTOEXEC.BAT") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="ntuser.dat") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="desktop.ini") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="CONFIG.SYS") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="RECYCLER") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="BOOTSECT.BAK") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="bootmgr") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="programdata") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="appdata") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="program files") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="program files (x86)") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="microsoft") returned 1 [0073.605] lstrcmpiW (lpString1="sl-SI", lpString2="sophos") returned -1 [0073.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.605] FindFirstFileW (in: lpFileName="C:\\Boot\\sl-SI\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0073.605] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.605] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc4938cb0, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.605] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.605] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.605] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.605] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.606] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.606] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.606] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.606] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.607] CreateFileW (lpFileName="C:\\Boot\\sl-SI\\bootmgr.exe.mui" (normalized: "c:\\boot\\sl-si\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.607] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bbe0 [0073.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268b9d0 [0073.607] SystemFunction036 (in: RandomBuffer=0x268bbe0, RandomBufferLength=0x10 | out: RandomBuffer=0x268bbe0) returned 1 [0073.607] SystemFunction036 (in: RandomBuffer=0x268b9d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268b9d0) returned 1 [0073.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d5b0 [0073.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268dce8 [0073.607] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d5b0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268d5b0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.608] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268dce8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268dce8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.609] GetTickCount () returned 0x1153bae [0073.609] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.609] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.609] SetLastError (dwErrCode=0x0) [0073.609] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d5b0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.609] GetLastError () returned 0x6 [0073.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.609] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12b60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.609] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0073.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.609] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="sr-Latn-CS", cAlternateFileName="SR-LAT~1")) returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2=".") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="..") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="...") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="windows") returned -1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="$RECYCLE.BIN") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="rsa") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="NTDETECT.COM") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="ntldr") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="MSDOS.SYS") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="IO.SYS") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="boot.ini") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="AUTOEXEC.BAT") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="ntuser.dat") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="desktop.ini") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="CONFIG.SYS") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="RECYCLER") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="BOOTSECT.BAK") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="bootmgr") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="programdata") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="appdata") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="program files") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="program files (x86)") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="microsoft") returned 1 [0073.610] lstrcmpiW (lpString1="sr-Latn-CS", lpString2="sophos") returned 1 [0073.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.610] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-CS\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0073.610] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.610] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0x5168548b, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.611] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.611] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.611] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.611] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680528 [0073.611] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.611] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.611] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.612] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.612] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.612] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0073.612] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.654] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.654] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc10 [0073.654] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bc40 [0073.654] SystemFunction036 (in: RandomBuffer=0x268bc10, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc10) returned 1 [0073.655] SystemFunction036 (in: RandomBuffer=0x268bc40, RandomBufferLength=0x10 | out: RandomBuffer=0x268bc40) returned 1 [0073.655] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c530 [0073.655] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d088 [0073.655] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c530*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c530*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.655] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d088*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268d088*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.655] GetTickCount () returned 0x1153bec [0073.655] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.655] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.655] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.655] SetLastError (dwErrCode=0x0) [0073.655] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c530, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.656] GetLastError () returned 0x6 [0073.656] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.656] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.656] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.657] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0073.657] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680528 | out: hHeap=0x2680000) returned 1 [0073.657] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.657] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.657] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.657] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804f0 [0073.657] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-CS\\memtest.exe.mui" (normalized: "c:\\boot\\sr-latn-cs\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.657] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.657] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268b9e8 [0073.657] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd18 [0073.657] SystemFunction036 (in: RandomBuffer=0x268b9e8, RandomBufferLength=0x10 | out: RandomBuffer=0x268b9e8) returned 1 [0073.657] SystemFunction036 (in: RandomBuffer=0x268bd18, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd18) returned 1 [0073.658] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c638 [0073.658] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268bf00 [0073.658] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c638*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c638*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.659] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268bf00*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268bf00*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.660] GetTickCount () returned 0x1153bec [0073.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680548 [0073.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0073.661] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.661] SetLastError (dwErrCode=0x0) [0073.661] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c638, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.661] GetLastError () returned 0x6 [0073.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.661] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x5168548b, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe318f070, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xaf58, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.661] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0073.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.661] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="sr-Latn-RS", cAlternateFileName="SR-LAT~2")) returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2=".") returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="..") returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="...") returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="windows") returned -1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="$RECYCLE.BIN") returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="rsa") returned 1 [0073.661] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="NTDETECT.COM") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="ntldr") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="MSDOS.SYS") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="IO.SYS") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="boot.ini") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="AUTOEXEC.BAT") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="ntuser.dat") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="desktop.ini") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="CONFIG.SYS") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="RECYCLER") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="BOOTSECT.BAK") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="bootmgr") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="programdata") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="appdata") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="program files") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="program files (x86)") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="microsoft") returned 1 [0073.662] lstrcmpiW (lpString1="sr-Latn-RS", lpString2="sophos") returned 1 [0073.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.662] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.662] FindFirstFileW (in: lpFileName="C:\\Boot\\sr-Latn-RS\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe28c8 [0073.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.662] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.663] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.663] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.663] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.663] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.664] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.664] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680528 [0073.664] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.664] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.664] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.664] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0073.664] CreateFileW (lpFileName="C:\\Boot\\sr-Latn-RS\\bootmgr.exe.mui" (normalized: "c:\\boot\\sr-latn-rs\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.664] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd60 [0073.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd78 [0073.665] SystemFunction036 (in: RandomBuffer=0x268bd60, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd60) returned 1 [0073.665] SystemFunction036 (in: RandomBuffer=0x268bd78, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd78) returned 1 [0073.665] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c110 [0073.665] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c740 [0073.665] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c110*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c110*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.665] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c740*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268c740*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.665] GetTickCount () returned 0x1153bec [0073.665] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804f0 [0073.665] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0073.665] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.665] SetLastError (dwErrCode=0x0) [0073.665] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c110, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.666] GetLastError () returned 0x6 [0073.666] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0073.666] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21212f9a, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.666] FindClose (in: hFindFile=0xbe28c8 | out: hFindFile=0xbe28c8) returned 1 [0073.666] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680528 | out: hHeap=0x2680000) returned 1 [0073.666] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.666] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.666] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="sv-SE", cAlternateFileName="")) returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2=".") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="..") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="...") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="windows") returned -1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="$RECYCLE.BIN") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="rsa") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="NTDETECT.COM") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="ntldr") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="MSDOS.SYS") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="IO.SYS") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="boot.ini") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="AUTOEXEC.BAT") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="ntuser.dat") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="desktop.ini") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="CONFIG.SYS") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="RECYCLER") returned 1 [0073.666] lstrcmpiW (lpString1="sv-SE", lpString2="BOOTSECT.BAK") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="bootmgr") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="programdata") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="appdata") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="program files") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="program files (x86)") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="microsoft") returned 1 [0073.667] lstrcmpiW (lpString1="sv-SE", lpString2="sophos") returned 1 [0073.667] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.667] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.667] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.667] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.667] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.667] FindFirstFileW (in: lpFileName="C:\\Boot\\sv-SE\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0073.668] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.668] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa01adf43, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6a2250, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.668] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.668] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.668] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x21107f25, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12960, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.668] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.669] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.669] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.669] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.669] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.669] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.669] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.669] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\bootmgr.exe.mui" (normalized: "c:\\boot\\sv-se\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.670] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bcb8 [0073.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bcd0 [0073.670] SystemFunction036 (in: RandomBuffer=0x268bcb8, RandomBufferLength=0x10 | out: RandomBuffer=0x268bcb8) returned 1 [0073.670] SystemFunction036 (in: RandomBuffer=0x268bcd0, RandomBufferLength=0x10 | out: RandomBuffer=0x268bcd0) returned 1 [0073.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c218 [0073.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c428 [0073.670] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c218*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c218*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.670] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c428*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268c428*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.670] GetTickCount () returned 0x1153bec [0073.670] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.670] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.670] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.671] SetLastError (dwErrCode=0x0) [0073.671] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c218, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.671] GetLastError () returned 0x6 [0073.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.671] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.671] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.671] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.671] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.672] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.672] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.672] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.672] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.673] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.673] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.673] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.673] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.673] CreateFileW (lpFileName="C:\\Boot\\sv-SE\\memtest.exe.mui" (normalized: "c:\\boot\\sv-se\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.673] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bce8 [0073.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd00 [0073.673] SystemFunction036 (in: RandomBuffer=0x268bce8, RandomBufferLength=0x10 | out: RandomBuffer=0x268bce8) returned 1 [0073.673] SystemFunction036 (in: RandomBuffer=0x268bd00, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd00) returned 1 [0073.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268c848 [0073.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ca58 [0073.673] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268c848*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268c848*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.673] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ca58*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268ca58*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.675] GetTickCount () returned 0x1153bfc [0073.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.675] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.675] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.675] SetLastError (dwErrCode=0x0) [0073.675] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268c848, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.675] GetLastError () returned 0x6 [0073.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.676] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6a2250, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f699a6, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xaf98, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.676] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0073.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.676] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="tr-TR", cAlternateFileName="")) returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2=".") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="..") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="...") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="windows") returned -1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="$RECYCLE.BIN") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="rsa") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="NTDETECT.COM") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="ntldr") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="MSDOS.SYS") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="IO.SYS") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="boot.ini") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="AUTOEXEC.BAT") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="ntuser.dat") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="desktop.ini") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="CONFIG.SYS") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="RECYCLER") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="BOOTSECT.BAK") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="bootmgr") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="programdata") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="appdata") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="program files") returned 1 [0073.676] lstrcmpiW (lpString1="tr-TR", lpString2="program files (x86)") returned 1 [0073.677] lstrcmpiW (lpString1="tr-TR", lpString2="microsoft") returned 1 [0073.677] lstrcmpiW (lpString1="tr-TR", lpString2="sophos") returned 1 [0073.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.677] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.677] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.677] FindFirstFileW (in: lpFileName="C:\\Boot\\tr-TR\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0073.677] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.677] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206504, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6b5aca, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.677] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.677] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.677] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12558, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.677] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.678] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.678] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.678] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.678] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.678] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.679] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.679] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.679] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\bootmgr.exe.mui" (normalized: "c:\\boot\\tr-tr\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.679] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.680] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd30 [0073.680] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268bd48 [0073.680] SystemFunction036 (in: RandomBuffer=0x268bd30, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd30) returned 1 [0073.680] SystemFunction036 (in: RandomBuffer=0x268bd48, RandomBufferLength=0x10 | out: RandomBuffer=0x268bd48) returned 1 [0073.680] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268cb60 [0073.680] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268cc68 [0073.680] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268cb60*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268cb60*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.681] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268cc68*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268cc68*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.682] GetTickCount () returned 0x1153bfc [0073.682] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.682] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.682] SetLastError (dwErrCode=0x0) [0073.682] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268cb60, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.682] GetLastError () returned 0x6 [0073.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.682] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.683] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.683] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.683] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.683] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.683] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.683] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.683] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.683] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.683] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.684] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.684] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.684] CreateFileW (lpFileName="C:\\Boot\\tr-TR\\memtest.exe.mui" (normalized: "c:\\boot\\tr-tr\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.684] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df70 [0073.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1e0 [0073.684] SystemFunction036 (in: RandomBuffer=0x268df70, RandomBufferLength=0x10 | out: RandomBuffer=0x268df70) returned 1 [0073.684] SystemFunction036 (in: RandomBuffer=0x268e1e0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1e0) returned 1 [0073.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268cd70 [0073.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268ce78 [0073.684] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268cd70*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268cd70*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.687] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268ce78*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268ce78*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.688] GetTickCount () returned 0x1153bfc [0073.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.688] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.688] SetLastError (dwErrCode=0x0) [0073.688] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268cd70, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.688] GetLastError () returned 0x6 [0073.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.688] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6b5aca, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2f4373a, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xb1a0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.688] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0073.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.688] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="uk-UA", cAlternateFileName="")) returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2=".") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="..") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="...") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="windows") returned -1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="$RECYCLE.BIN") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="rsa") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="NTDETECT.COM") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="ntldr") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="MSDOS.SYS") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="IO.SYS") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="boot.ini") returned 1 [0073.688] lstrcmpiW (lpString1="uk-UA", lpString2="AUTOEXEC.BAT") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="ntuser.dat") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="desktop.ini") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="CONFIG.SYS") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="RECYCLER") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="BOOTSECT.BAK") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="bootmgr") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="programdata") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="appdata") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="program files") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="program files (x86)") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="microsoft") returned 1 [0073.689] lstrcmpiW (lpString1="uk-UA", lpString2="sophos") returned 1 [0073.689] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.689] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.689] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.689] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0073.689] FindFirstFileW (in: lpFileName="C:\\Boot\\uk-UA\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0073.689] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.689] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0206a30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc495eef9, ftLastWriteTime.dwHighDateTime=0x1d32764, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0073.689] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.689] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.689] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.689] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.690] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.690] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.690] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.691] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.691] CreateFileW (lpFileName="C:\\Boot\\uk-UA\\bootmgr.exe.mui" (normalized: "c:\\boot\\uk-ua\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.691] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268dfd0 [0073.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268dfe8 [0073.691] SystemFunction036 (in: RandomBuffer=0x268dfd0, RandomBufferLength=0x10 | out: RandomBuffer=0x268dfd0) returned 1 [0073.691] SystemFunction036 (in: RandomBuffer=0x268dfe8, RandomBufferLength=0x10 | out: RandomBuffer=0x268dfe8) returned 1 [0073.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d298 [0073.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268cf80 [0073.691] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d298*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268d298*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.692] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268cf80*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x268cf80*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.693] GetTickCount () returned 0x1153bfc [0073.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.693] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.693] SetLastError (dwErrCode=0x0) [0073.693] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d298, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.693] GetLastError () returned 0x6 [0073.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.693] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc495eef9, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc495eef9, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x210e1cce, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x12d60, dwReserved0=0x26820d0, dwReserved1=0x0, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 0 [0073.693] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0073.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.694] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef6c9427, ftCreationTime.dwHighDateTime=0x1d3273d, ftLastAccessTime.dwLowDateTime=0xef6c9427, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1236, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="updaterevokesipolicy.p7b", cAlternateFileName="UPDATE~1.P7B")) returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2=".") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="..") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="...") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="windows") returned -1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="$RECYCLE.BIN") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="rsa") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="NTDETECT.COM") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="ntldr") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="MSDOS.SYS") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="IO.SYS") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="boot.ini") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="AUTOEXEC.BAT") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="ntuser.dat") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="desktop.ini") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="CONFIG.SYS") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="RECYCLER") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="BOOTSECT.BAK") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="bootmgr") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="programdata") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="appdata") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="program files") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="program files (x86)") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="microsoft") returned 1 [0073.694] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="sophos") returned 1 [0073.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0073.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.694] PathFindExtensionW (pszPath="updaterevokesipolicy.p7b") returned=".p7b" [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".exe") returned 1 [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".log") returned 1 [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".cab") returned 1 [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".cmd") returned 1 [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".com") returned 1 [0073.694] lstrcmpiW (lpString1=".p7b", lpString2=".cpl") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".ini") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".dll") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".url") returned -1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".ttf") returned -1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".mp3") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".pif") returned -1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".mp4") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".NEFILIM") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".msi") returned 1 [0073.695] lstrcmpiW (lpString1=".p7b", lpString2=".lnk") returned 1 [0073.695] lstrcmpiW (lpString1="updaterevokesipolicy.p7b", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0073.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0073.695] CreateFileW (lpFileName="C:\\Boot\\updaterevokesipolicy.p7b" (normalized: "c:\\boot\\updaterevokesipolicy.p7b"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.739] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=75031468087965748) returned 0 [0073.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e108 [0073.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df58 [0073.740] SystemFunction036 (in: RandomBuffer=0x268e108, RandomBufferLength=0x10 | out: RandomBuffer=0x268e108) returned 1 [0073.740] SystemFunction036 (in: RandomBuffer=0x268df58, RandomBufferLength=0x10 | out: RandomBuffer=0x268df58) returned 1 [0073.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d3a0 [0073.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d4a8 [0073.740] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d3a0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x268d3a0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0073.741] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d4a8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x268d4a8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0073.742] GetTickCount () returned 0x1153c2b [0073.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680568 [0073.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680568 | out: hHeap=0x2680000) returned 1 [0073.742] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.742] SetLastError (dwErrCode=0x0) [0073.742] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d3a0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0) returned 0 [0073.742] GetLastError () returned 0x6 [0073.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0073.742] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="zh-CN", cAlternateFileName="")) returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2=".") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="..") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="...") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="windows") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="$RECYCLE.BIN") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="rsa") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="NTDETECT.COM") returned 1 [0073.742] lstrcmpiW (lpString1="zh-CN", lpString2="ntldr") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="MSDOS.SYS") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="IO.SYS") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="boot.ini") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="AUTOEXEC.BAT") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="ntuser.dat") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="desktop.ini") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="CONFIG.SYS") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="RECYCLER") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="BOOTSECT.BAK") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="bootmgr") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="programdata") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="appdata") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="program files") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="program files (x86)") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="microsoft") returned 1 [0073.743] lstrcmpiW (lpString1="zh-CN", lpString2="sophos") returned 1 [0073.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.743] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-CN\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0073.744] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.744] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207100, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xef6d7e9a, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="..", cAlternateFileName="")) returned 1 [0073.744] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.744] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.744] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.744] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.745] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.745] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.745] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.745] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.745] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-cn\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.745] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e138 [0073.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df88 [0073.745] SystemFunction036 (in: RandomBuffer=0x268e138, RandomBufferLength=0x10 | out: RandomBuffer=0x268e138) returned 1 [0073.745] SystemFunction036 (in: RandomBuffer=0x268df88, RandomBufferLength=0x10 | out: RandomBuffer=0x268df88) returned 1 [0073.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x268d6b8 [0073.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1720 [0073.746] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x268d6b8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x268d6b8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.746] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1720*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1720*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.748] GetTickCount () returned 0x1153c3a [0073.748] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.748] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.748] SetLastError (dwErrCode=0x0) [0073.748] WriteFile (in: hFile=0xffffffff, lpBuffer=0x268d6b8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.748] GetLastError () returned 0x6 [0073.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.748] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.748] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.749] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.749] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.749] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.749] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.749] CreateFileW (lpFileName="C:\\Boot\\zh-CN\\memtest.exe.mui" (normalized: "c:\\boot\\zh-cn\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.750] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e180 [0073.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e048 [0073.750] SystemFunction036 (in: RandomBuffer=0x268e180, RandomBufferLength=0x10 | out: RandomBuffer=0x268e180) returned 1 [0073.750] SystemFunction036 (in: RandomBuffer=0x268e048, RandomBufferLength=0x10 | out: RandomBuffer=0x268e048) returned 1 [0073.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d10f0 [0073.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1828 [0073.750] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d10f0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d10f0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.752] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1828*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1828*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.753] GetTickCount () returned 0x1153c3a [0073.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.753] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.753] SetLastError (dwErrCode=0x0) [0073.753] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d10f0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.753] GetLastError () returned 0x6 [0073.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.753] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6d7e9a, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa5a0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.753] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0073.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.753] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="zh-HK", cAlternateFileName="")) returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2=".") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="..") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="...") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="windows") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="$RECYCLE.BIN") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="rsa") returned 1 [0073.753] lstrcmpiW (lpString1="zh-HK", lpString2="NTDETECT.COM") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="ntldr") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="MSDOS.SYS") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="IO.SYS") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="boot.ini") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="AUTOEXEC.BAT") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="ntuser.dat") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="desktop.ini") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="CONFIG.SYS") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="RECYCLER") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="BOOTSECT.BAK") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="bootmgr") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="programdata") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="appdata") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="program files") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="program files (x86)") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="microsoft") returned 1 [0073.754] lstrcmpiW (lpString1="zh-HK", lpString2="sophos") returned 1 [0073.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.754] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.754] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-HK\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0073.754] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.754] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xa0207675, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x518ea25e, ftLastWriteTime.dwHighDateTime=0x1d3271b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="..", cAlternateFileName="")) returned 1 [0073.754] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.754] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.754] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf958, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.755] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.755] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.755] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.755] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.755] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.756] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.756] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.756] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-hk\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.756] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268dfb8 [0073.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268dfa0 [0073.756] SystemFunction036 (in: RandomBuffer=0x268dfb8, RandomBufferLength=0x10 | out: RandomBuffer=0x268dfb8) returned 1 [0073.756] SystemFunction036 (in: RandomBuffer=0x268dfa0, RandomBufferLength=0x10 | out: RandomBuffer=0x268dfa0) returned 1 [0073.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0490 [0073.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1c48 [0073.756] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0490*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0490*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.758] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1c48*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1c48*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.759] GetTickCount () returned 0x1153c3a [0073.759] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.759] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.759] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.759] SetLastError (dwErrCode=0x0) [0073.759] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0490, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.759] GetLastError () returned 0x6 [0073.759] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.759] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.759] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.760] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.760] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.760] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.760] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.760] CreateFileW (lpFileName="C:\\Boot\\zh-HK\\memtest.exe.mui" (normalized: "c:\\boot\\zh-hk\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.760] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df10 [0073.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1f8 [0073.761] SystemFunction036 (in: RandomBuffer=0x268df10, RandomBufferLength=0x10 | out: RandomBuffer=0x268df10) returned 1 [0073.761] SystemFunction036 (in: RandomBuffer=0x268e1f8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1f8) returned 1 [0073.761] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d07a8 [0073.761] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d06a0 [0073.761] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d07a8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d07a8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.761] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d06a0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d06a0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.761] GetTickCount () returned 0x1153c3a [0073.761] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.761] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.761] SetLastError (dwErrCode=0x0) [0073.761] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d07a8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.761] GetLastError () returned 0x6 [0073.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.761] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0x518ea25e, ftLastAccessTime.dwHighDateTime=0x1d3271b, ftLastWriteTime.dwLowDateTime=0xe31db522, ftLastWriteTime.dwHighDateTime=0x1d112e1, nFileSizeHigh=0x0, nFileSizeLow=0xa558, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.761] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0073.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.762] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="zh-TW", cAlternateFileName="")) returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2=".") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="..") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="...") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="windows") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="$RECYCLE.BIN") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="rsa") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="NTDETECT.COM") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="ntldr") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="MSDOS.SYS") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="IO.SYS") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="boot.ini") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="AUTOEXEC.BAT") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="ntuser.dat") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="desktop.ini") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="CONFIG.SYS") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="RECYCLER") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="BOOTSECT.BAK") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="bootmgr") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="programdata") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="appdata") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="program files") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="program files (x86)") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="microsoft") returned 1 [0073.762] lstrcmpiW (lpString1="zh-TW", lpString2="sophos") returned 1 [0073.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812f0 [0073.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.762] FindFirstFileW (in: lpFileName="C:\\Boot\\zh-TW\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0073.763] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.763] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="..", cAlternateFileName="")) returned 1 [0073.763] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.763] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.763] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc498516b, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0x2123921c, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0xf960, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="bootmgr.exe.mui", cAlternateFileName="BOOTMG~1.MUI")) returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2=".") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="..") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="...") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="windows") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="rsa") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntldr") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="IO.SYS") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="boot.ini") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="ntuser.dat") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="desktop.ini") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="CONFIG.SYS") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="RECYCLER") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="BOOTSECT.BAK") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="bootmgr") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="programdata") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="appdata") returned 1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="program files (x86)") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="microsoft") returned -1 [0073.763] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="sophos") returned -1 [0073.763] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.763] PathFindExtensionW (pszPath="bootmgr.exe.mui") returned=".mui" [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.764] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.764] lstrcmpiW (lpString1="bootmgr.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.764] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\bootmgr.exe.mui" (normalized: "c:\\boot\\zh-tw\\bootmgr.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.764] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1b0 [0073.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e000 [0073.764] SystemFunction036 (in: RandomBuffer=0x268e1b0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1b0) returned 1 [0073.764] SystemFunction036 (in: RandomBuffer=0x268e000, RandomBufferLength=0x10 | out: RandomBuffer=0x268e000) returned 1 [0073.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1510 [0073.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0fe8 [0073.764] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1510*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1510*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.765] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0fe8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0fe8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.765] GetTickCount () returned 0x1153c4a [0073.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.765] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.765] SetLastError (dwErrCode=0x0) [0073.765] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1510, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.765] GetLastError () returned 0x6 [0073.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.765] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2=".") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="..") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="...") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="windows") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="$RECYCLE.BIN") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="rsa") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NTDETECT.COM") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntldr") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="MSDOS.SYS") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="IO.SYS") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="boot.ini") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="AUTOEXEC.BAT") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="ntuser.dat") returned -1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="desktop.ini") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="CONFIG.SYS") returned 1 [0073.765] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="RECYCLER") returned -1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="BOOTSECT.BAK") returned 1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="bootmgr") returned 1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="programdata") returned -1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="appdata") returned 1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files") returned -1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="program files (x86)") returned -1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="microsoft") returned -1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="sophos") returned -1 [0073.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.766] PathFindExtensionW (pszPath="memtest.exe.mui") returned=".mui" [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".exe") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".log") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".cab") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".cmd") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".com") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".cpl") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".ini") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".dll") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".url") returned -1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".ttf") returned -1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".mp3") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".pif") returned -1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".mp4") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".NEFILIM") returned -1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".msi") returned 1 [0073.766] lstrcmpiW (lpString1=".mui", lpString2=".lnk") returned 1 [0073.766] lstrcmpiW (lpString1="memtest.exe.mui", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.766] CreateFileW (lpFileName="C:\\Boot\\zh-TW\\memtest.exe.mui" (normalized: "c:\\boot\\zh-tw\\memtest.exe.mui"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.767] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0073.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e018 [0073.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e030 [0073.767] SystemFunction036 (in: RandomBuffer=0x268e018, RandomBufferLength=0x10 | out: RandomBuffer=0x268e018) returned 1 [0073.767] SystemFunction036 (in: RandomBuffer=0x268e030, RandomBufferLength=0x10 | out: RandomBuffer=0x268e030) returned 1 [0073.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0bc8 [0073.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d08b0 [0073.767] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0bc8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0bc8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0073.767] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d08b0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d08b0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0073.768] GetTickCount () returned 0x1153c4a [0073.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0073.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0073.768] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.768] SetLastError (dwErrCode=0x0) [0073.768] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0bc8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0073.769] GetLastError () returned 0x6 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.769] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf39fe447, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0xa598, dwReserved0=0x2680510, dwReserved1=0x8, cFileName="memtest.exe.mui", cAlternateFileName="MEMTES~1.MUI")) returned 0 [0073.769] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812f0 | out: hHeap=0x2680000) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.769] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc498516b, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xef6e6901, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xef6e6901, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26812f8, dwReserved1=0x42000042, cFileName="zh-TW", cAlternateFileName="")) returned 0 [0073.769] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c8 | out: hHeap=0x2680000) returned 1 [0073.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812a0 | out: hHeap=0x2680000) returned 1 [0073.769] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xe47a48a8, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef6fa258, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xfb90936b, ftLastWriteTime.dwHighDateTime=0x1d2fa06, nFileSizeHigh=0x0, nFileSizeLow=0x607da, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="bootmgr", cAlternateFileName="")) returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2=".") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="..") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="...") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="windows") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="$RECYCLE.BIN") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="rsa") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="NTDETECT.COM") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="ntldr") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="MSDOS.SYS") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="IO.SYS") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="boot.ini") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="AUTOEXEC.BAT") returned 1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="ntuser.dat") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="desktop.ini") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="CONFIG.SYS") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="RECYCLER") returned -1 [0073.769] lstrcmpiW (lpString1="bootmgr", lpString2="BOOTSECT.BAK") returned -1 [0073.770] lstrcmpiW (lpString1="bootmgr", lpString2="bootmgr") returned 0 [0073.770] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0xe5533ee0, ftCreationTime.dwHighDateTime=0x1d112ea, ftLastAccessTime.dwLowDateTime=0xef9d0a0c, ftLastAccessTime.dwHighDateTime=0x1d3273d, ftLastWriteTime.dwLowDateTime=0xf2d79a60, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x1, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="BOOTNXT", cAlternateFileName="")) returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2=".") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="..") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="...") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="windows") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="$RECYCLE.BIN") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="rsa") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="NTDETECT.COM") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntldr") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="MSDOS.SYS") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="IO.SYS") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="boot.ini") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="AUTOEXEC.BAT") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="ntuser.dat") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="desktop.ini") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="CONFIG.SYS") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="RECYCLER") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="BOOTSECT.BAK") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="bootmgr") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="programdata") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="appdata") returned 1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="program files") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="program files (x86)") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="microsoft") returned -1 [0073.770] lstrcmpiW (lpString1="BOOTNXT", lpString2="sophos") returned -1 [0073.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.770] PathFindExtensionW (pszPath="BOOTNXT") returned="" [0073.770] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0073.770] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0073.771] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0073.771] lstrcmpiW (lpString1="BOOTNXT", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.771] CreateFileW (lpFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x25c [0073.830] GetFileSizeEx (in: hFile=0x25c, lpFileSize=0x25bf458 | out: lpFileSize=0x25bf458*=1) returned 1 [0073.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e060 [0073.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0073.830] SystemFunction036 (in: RandomBuffer=0x268e060, RandomBufferLength=0x10 | out: RandomBuffer=0x268e060) returned 1 [0073.830] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0073.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0073.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0073.830] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf418*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf418*=0x100) returned 1 [0073.832] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf414*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf414*=0x100) returned 1 [0073.834] GetTickCount () returned 0x1153c88 [0073.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.834] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.834] SetLastError (dwErrCode=0x0) [0073.834] WriteFile (in: hFile=0x25c, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf470*=0x100, lpOverlapped=0x0) returned 1 [0073.835] GetLastError () returned 0x0 [0073.835] GetLastError () returned 0x0 [0073.835] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x101, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.835] WriteFile (in: hFile=0x25c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf470*=0x100, lpOverlapped=0x0) returned 1 [0073.835] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x201, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.835] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf42c | out: lpSystemTimeAsFileTime=0x25bf42c*(dwLowDateTime=0x26ffab4a, dwHighDateTime=0x1d5f971)) [0073.835] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.835] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.835] WriteFile (in: hFile=0x25c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf470*=0x7, lpOverlapped=0x0) returned 1 [0073.836] GetProcessHeap () returned 0xbc0000 [0073.836] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1) returned 0xbe37c0 [0073.836] GetSystemDefaultLangID () returned 0xbd0409 [0073.836] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.836] ReadFile (in: hFile=0x25c, lpBuffer=0xbe37c0, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x25bf47c, lpOverlapped=0x0 | out: lpBuffer=0xbe37c0*, lpNumberOfBytesRead=0x25bf47c*=0x1, lpOverlapped=0x0) returned 1 [0073.836] SetFilePointerEx (in: hFile=0x25c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.836] WriteFile (in: hFile=0x25c, lpBuffer=0xbe37c0*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpBuffer=0xbe37c0*, lpNumberOfBytesWritten=0x25bf470*=0x1, lpOverlapped=0x0) returned 1 [0073.836] GetProcessHeap () returned 0xbc0000 [0073.836] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe37c0 | out: hHeap=0xbc0000) returned 1 [0073.836] CloseHandle (hObject=0x25c) returned 1 [0073.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0073.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0073.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e060 | out: hHeap=0x2680000) returned 1 [0073.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0073.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.837] MoveFileW (lpExistingFileName="C:\\BOOTNXT" (normalized: "c:\\bootnxt"), lpNewFileName="C:\\BOOTNXT.NEFILIM" (normalized: "c:\\bootnxt.nefilim")) returned 1 [0073.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.838] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.838] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x27, ftCreationTime.dwLowDateTime=0xc4ee267e, ftCreationTime.dwHighDateTime=0x1d32764, ftLastAccessTime.dwLowDateTime=0xc4ee267e, ftLastAccessTime.dwHighDateTime=0x1d32764, ftLastWriteTime.dwLowDateTime=0xf1c63cdd, ftLastWriteTime.dwHighDateTime=0x1d3273d, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x1003f, dwReserved1=0x0, cFileName="BOOTSECT.BAK", cAlternateFileName="")) returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2=".") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="..") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="...") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="windows") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="$RECYCLE.BIN") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="rsa") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="NTDETECT.COM") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntldr") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="MSDOS.SYS") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="IO.SYS") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="boot.ini") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="AUTOEXEC.BAT") returned 1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="ntuser.dat") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="desktop.ini") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="CONFIG.SYS") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="RECYCLER") returned -1 [0073.838] lstrcmpiW (lpString1="BOOTSECT.BAK", lpString2="BOOTSECT.BAK") returned 0 [0073.838] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents and Settings", cAlternateFileName="DOCUME~1")) returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2=".") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="..") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="...") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="windows") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="$RECYCLE.BIN") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="rsa") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="NTDETECT.COM") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntldr") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="MSDOS.SYS") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="IO.SYS") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="boot.ini") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="AUTOEXEC.BAT") returned 1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="ntuser.dat") returned -1 [0073.838] lstrcmpiW (lpString1="Documents and Settings", lpString2="desktop.ini") returned 1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="CONFIG.SYS") returned 1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="RECYCLER") returned -1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="BOOTSECT.BAK") returned 1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="bootmgr") returned 1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="programdata") returned -1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="appdata") returned 1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files") returned -1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="program files (x86)") returned -1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="microsoft") returned -1 [0073.839] lstrcmpiW (lpString1="Documents and Settings", lpString2="sophos") returned -1 [0073.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0073.839] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0073.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0073.839] FindFirstFileW (in: lpFileName="C:\\Documents and Settings\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x3c, ftLastAccessTime.dwLowDateTime=0xbc0000, ftLastAccessTime.dwHighDateTime=0x14000014, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0xc2f97a18, nFileSizeHigh=0x2680000, nFileSizeLow=0x9000009, dwReserved0=0x26820d0, dwReserved1=0x48, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨ⌨ɨ4")) returned 0xffffffff [0073.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.840] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ESD", cAlternateFileName="")) returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2=".") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="..") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="...") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="windows") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="$RECYCLE.BIN") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="rsa") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="NTDETECT.COM") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="ntldr") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="MSDOS.SYS") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="IO.SYS") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="boot.ini") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="AUTOEXEC.BAT") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="ntuser.dat") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="desktop.ini") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="CONFIG.SYS") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="RECYCLER") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="BOOTSECT.BAK") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="bootmgr") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="programdata") returned -1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="appdata") returned 1 [0073.840] lstrcmpiW (lpString1="ESD", lpString2="program files") returned -1 [0073.841] lstrcmpiW (lpString1="ESD", lpString2="program files (x86)") returned -1 [0073.841] lstrcmpiW (lpString1="ESD", lpString2="microsoft") returned -1 [0073.841] lstrcmpiW (lpString1="ESD", lpString2="sophos") returned -1 [0073.841] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.841] FindFirstFileW (in: lpFileName="C:\\ESD\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x48, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0073.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.846] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x48, cFileName="..", cAlternateFileName="")) returned 1 [0073.846] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.846] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.846] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c2b2eaf, ftCreationTime.dwHighDateTime=0x1d32718, ftLastAccessTime.dwLowDateTime=0xc1969407, ftLastAccessTime.dwHighDateTime=0x1d327d0, ftLastWriteTime.dwLowDateTime=0xc1969407, ftLastWriteTime.dwHighDateTime=0x1d327d0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x48, cFileName="..", cAlternateFileName="")) returned 0 [0073.846] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0073.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.846] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7ef2dddf, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7ef2dddf, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xab460c6f, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x332fe000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="hiberfil.sys", cAlternateFileName="")) returned 1 [0073.846] lstrcmpiW (lpString1="hiberfil.sys", lpString2=".") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="..") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="...") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="windows") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="$RECYCLE.BIN") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="rsa") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NTDETECT.COM") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntldr") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="MSDOS.SYS") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="IO.SYS") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="boot.ini") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="AUTOEXEC.BAT") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="ntuser.dat") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="desktop.ini") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="CONFIG.SYS") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="RECYCLER") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="BOOTSECT.BAK") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="bootmgr") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="programdata") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="appdata") returned 1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="program files (x86)") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="microsoft") returned -1 [0073.847] lstrcmpiW (lpString1="hiberfil.sys", lpString2="sophos") returned -1 [0073.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.847] PathFindExtensionW (pszPath="hiberfil.sys") returned=".sys" [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0073.847] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0073.848] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0073.848] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0073.848] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0073.848] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0073.848] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0073.848] lstrcmpiW (lpString1="hiberfil.sys", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.848] CreateFileW (lpFileName="C:\\hiberfil.sys" (normalized: "c:\\hiberfil.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0073.848] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bf458 | out: lpFileSize=0x25bf458*=75031468087965748) returned 0 [0073.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e060 [0073.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e120 [0073.848] SystemFunction036 (in: RandomBuffer=0x268e060, RandomBufferLength=0x10 | out: RandomBuffer=0x268e060) returned 1 [0073.848] SystemFunction036 (in: RandomBuffer=0x268e120, RandomBufferLength=0x10 | out: RandomBuffer=0x268e120) returned 1 [0073.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0070 [0073.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d11f8 [0073.848] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0070*, pdwDataLen=0x25bf418*=0x10, dwBufLen=0x100 | out: pbData=0x29d0070*, pdwDataLen=0x25bf418*=0x100) returned 1 [0073.849] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d11f8*, pdwDataLen=0x25bf414*=0x10, dwBufLen=0x100 | out: pbData=0x29d11f8*, pdwDataLen=0x25bf414*=0x100) returned 1 [0073.850] GetTickCount () returned 0x1153c98 [0073.850] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0073.850] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0073.850] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0073.851] SetLastError (dwErrCode=0x0) [0073.851] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0070, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0) returned 0 [0073.851] GetLastError () returned 0x6 [0073.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0073.851] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Logs", cAlternateFileName="")) returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0073.851] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0073.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0073.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0073.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0073.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2682328 [0073.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0073.851] FindFirstFileW (in: lpFileName="C:\\Logs\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0073.856] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0073.856] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdf1d773, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xa03727f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfd9ec80, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0073.861] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0073.861] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0073.861] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5052fa31, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5052fa31, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Application.evtx", cAlternateFileName="APPLIC~1.EVT")) returned 1 [0073.861] lstrcmpiW (lpString1="Application.evtx", lpString2=".") returned 1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="..") returned 1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="...") returned 1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="windows") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="$RECYCLE.BIN") returned 1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="rsa") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="NTDETECT.COM") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="ntldr") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="MSDOS.SYS") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="IO.SYS") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="boot.ini") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="AUTOEXEC.BAT") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="ntuser.dat") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="desktop.ini") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="CONFIG.SYS") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="RECYCLER") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="BOOTSECT.BAK") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="bootmgr") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="programdata") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="appdata") returned 1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="program files") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="program files (x86)") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="microsoft") returned -1 [0073.862] lstrcmpiW (lpString1="Application.evtx", lpString2="sophos") returned -1 [0073.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0073.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.862] PathFindExtensionW (pszPath="Application.evtx") returned=".evtx" [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0073.862] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0073.863] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0073.863] lstrcmpiW (lpString1="Application.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.863] CreateFileW (lpFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0073.865] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0073.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0073.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0073.865] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0073.865] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0073.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0073.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0073.866] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0073.867] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0073.868] GetTickCount () returned 0x1153ca8 [0073.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812c0 [0073.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.868] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.868] SetLastError (dwErrCode=0x0) [0073.868] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.869] GetLastError () returned 0x0 [0073.869] GetLastError () returned 0x0 [0073.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.869] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.869] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27046f77, dwHighDateTime=0x1d5f971)) [0073.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0073.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.869] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0073.869] GetProcessHeap () returned 0xbc0000 [0073.869] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0073.869] GetSystemDefaultLangID () returned 0xbd0409 [0073.869] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.869] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0073.912] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.912] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0073.913] GetProcessHeap () returned 0xbc0000 [0073.913] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0073.913] CloseHandle (hObject=0x260) returned 1 [0073.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0073.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0073.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0073.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0073.915] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0073.915] MoveFileW (lpExistingFileName="C:\\Logs\\Application.evtx" (normalized: "c:\\logs\\application.evtx"), lpNewFileName="C:\\Logs\\Application.evtx.NEFILIM" (normalized: "c:\\logs\\application.evtx.nefilim")) returned 1 [0073.916] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.916] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.916] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505ee5f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505ee5f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="HardwareEvents.evtx", cAlternateFileName="HARDWA~1.EVT")) returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2=".") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="..") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="...") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="windows") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="$RECYCLE.BIN") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="rsa") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="NTDETECT.COM") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="ntldr") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="MSDOS.SYS") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="IO.SYS") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="boot.ini") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="ntuser.dat") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="desktop.ini") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="CONFIG.SYS") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="RECYCLER") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="BOOTSECT.BAK") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="bootmgr") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="programdata") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="appdata") returned 1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="program files") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="program files (x86)") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="microsoft") returned -1 [0073.916] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="sophos") returned -1 [0073.916] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.916] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.916] PathFindExtensionW (pszPath="HardwareEvents.evtx") returned=".evtx" [0073.916] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0073.916] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0073.916] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0073.916] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0073.916] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0073.917] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0073.917] lstrcmpiW (lpString1="HardwareEvents.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0073.917] CreateFileW (lpFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0073.918] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0073.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0073.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0073.918] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0073.918] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0073.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0073.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0073.918] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0073.918] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0073.918] GetTickCount () returned 0x1153cd6 [0073.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812c0 [0073.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.919] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.919] SetLastError (dwErrCode=0x0) [0073.919] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.920] GetLastError () returned 0x0 [0073.920] GetLastError () returned 0x0 [0073.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.920] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.920] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x270df8e7, dwHighDateTime=0x1d5f971)) [0073.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0073.920] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.920] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0073.920] GetProcessHeap () returned 0xbc0000 [0073.920] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0073.920] GetSystemDefaultLangID () returned 0xbd0409 [0073.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.920] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0073.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.924] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0073.925] GetProcessHeap () returned 0xbc0000 [0073.925] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0073.925] CloseHandle (hObject=0x260) returned 1 [0073.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0073.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0073.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0073.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0073.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0073.927] MoveFileW (lpExistingFileName="C:\\Logs\\HardwareEvents.evtx" (normalized: "c:\\logs\\hardwareevents.evtx"), lpNewFileName="C:\\Logs\\HardwareEvents.evtx.NEFILIM" (normalized: "c:\\logs\\hardwareevents.evtx.nefilim")) returned 1 [0073.927] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.927] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.927] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505a2134, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505a2134, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Internet Explorer.evtx", cAlternateFileName="INTERN~1.EVT")) returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2=".") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="..") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="...") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="windows") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="$RECYCLE.BIN") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="rsa") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="NTDETECT.COM") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="ntldr") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="MSDOS.SYS") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="IO.SYS") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="boot.ini") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="ntuser.dat") returned -1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="desktop.ini") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="CONFIG.SYS") returned 1 [0073.927] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="RECYCLER") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="BOOTSECT.BAK") returned 1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="bootmgr") returned 1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="programdata") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="appdata") returned 1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="program files") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="program files (x86)") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="microsoft") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="sophos") returned -1 [0073.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0073.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.928] PathFindExtensionW (pszPath="Internet Explorer.evtx") returned=".evtx" [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0073.928] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0073.928] lstrcmpiW (lpString1="Internet Explorer.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0073.928] CreateFileW (lpFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0073.928] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0073.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0073.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0073.929] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0073.929] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0073.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0073.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0073.929] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0073.930] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0073.931] GetTickCount () returned 0x1153ce6 [0073.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812c0 [0073.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.931] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.931] SetLastError (dwErrCode=0x0) [0073.931] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.932] GetLastError () returned 0x0 [0073.932] GetLastError () returned 0x0 [0073.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.932] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.932] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x270df8e7, dwHighDateTime=0x1d5f971)) [0073.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0073.932] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.933] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0073.933] GetProcessHeap () returned 0xbc0000 [0073.933] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0073.933] GetSystemDefaultLangID () returned 0xbd0409 [0073.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.933] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0073.938] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.938] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0073.938] GetProcessHeap () returned 0xbc0000 [0073.938] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0073.938] CloseHandle (hObject=0x260) returned 1 [0073.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0073.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0073.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0073.941] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0073.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0073.941] MoveFileW (lpExistingFileName="C:\\Logs\\Internet Explorer.evtx" (normalized: "c:\\logs\\internet explorer.evtx"), lpNewFileName="C:\\Logs\\Internet Explorer.evtx.NEFILIM" (normalized: "c:\\logs\\internet explorer.evtx.nefilim")) returned 1 [0073.941] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0073.941] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0073.941] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5057bed8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5057bed8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Key Management Service.evtx", cAlternateFileName="KEYMAN~1.EVT")) returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2=".") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="..") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="...") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="windows") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="rsa") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="NTDETECT.COM") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="ntldr") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="MSDOS.SYS") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="IO.SYS") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="boot.ini") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="ntuser.dat") returned -1 [0073.941] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="desktop.ini") returned 1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="CONFIG.SYS") returned 1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="RECYCLER") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="BOOTSECT.BAK") returned 1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="bootmgr") returned 1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="programdata") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="appdata") returned 1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="program files") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="program files (x86)") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="microsoft") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="sophos") returned -1 [0073.942] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0073.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.942] PathFindExtensionW (pszPath="Key Management Service.evtx") returned=".evtx" [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0073.942] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0073.942] lstrcmpiW (lpString1="Key Management Service.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0073.942] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0073.942] CreateFileW (lpFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0073.943] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0073.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0073.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0073.943] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0073.943] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0073.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0073.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0073.943] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0073.944] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0073.945] GetTickCount () returned 0x1153cf6 [0073.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0073.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.945] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.945] SetLastError (dwErrCode=0x0) [0073.945] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.946] GetLastError () returned 0x0 [0073.946] GetLastError () returned 0x0 [0073.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.946] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0073.946] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.946] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27105b78, dwHighDateTime=0x1d5f971)) [0073.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0073.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0073.947] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0073.947] GetProcessHeap () returned 0xbc0000 [0073.947] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0073.947] GetSystemDefaultLangID () returned 0xbd0409 [0073.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.947] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0073.994] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0073.994] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0073.994] GetProcessHeap () returned 0xbc0000 [0073.994] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0073.994] CloseHandle (hObject=0x260) returned 1 [0074.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0074.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0074.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0074.001] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680510 [0074.001] MoveFileW (lpExistingFileName="C:\\Logs\\Key Management Service.evtx" (normalized: "c:\\logs\\key management service.evtx"), lpNewFileName="C:\\Logs\\Key Management Service.evtx.NEFILIM" (normalized: "c:\\logs\\key management service.evtx.nefilim")) returned 1 [0074.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0074.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.002] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1dbd7c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1dbd7c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Client-Licensing-Platform%4Admin.evtx", cAlternateFileName="MICROS~1.EVT")) returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2=".") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="..") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="...") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="windows") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="rsa") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="ntldr") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="IO.SYS") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="boot.ini") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="desktop.ini") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="RECYCLER") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="bootmgr") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="programdata") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="appdata") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="program files") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="program files (x86)") returned -1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="microsoft") returned 1 [0074.002] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="sophos") returned -1 [0074.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0074.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0074.002] PathFindExtensionW (pszPath="Microsoft-Client-Licensing-Platform%4Admin.evtx") returned=".evtx" [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.003] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.003] lstrcmpiW (lpString1="Microsoft-Client-Licensing-Platform%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0074.003] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.003] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0074.003] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.003] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0074.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0074.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0074.003] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.005] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.006] GetTickCount () returned 0x1153d44 [0074.006] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.006] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.006] SetLastError (dwErrCode=0x0) [0074.006] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.007] GetLastError () returned 0x0 [0074.007] GetLastError () returned 0x0 [0074.007] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.007] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.007] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.007] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x271a7737, dwHighDateTime=0x1d5f971)) [0074.007] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.007] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.007] GetProcessHeap () returned 0xbc0000 [0074.007] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0074.007] GetSystemDefaultLangID () returned 0xbd0409 [0074.007] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.007] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.012] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.012] GetProcessHeap () returned 0xbc0000 [0074.012] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0074.013] CloseHandle (hObject=0x260) returned 1 [0074.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0074.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0074.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0074.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0074.019] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Client-Licensing-Platform%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-client-licensing-platform%4admin.evtx.nefilim")) returned 1 [0074.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0074.020] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5d836e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5d836e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", cAlternateFileName="MICROS~2.EVT")) returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2=".") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="..") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="...") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="windows") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="rsa") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="NTDETECT.COM") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="ntldr") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="MSDOS.SYS") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="IO.SYS") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="boot.ini") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="ntuser.dat") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="desktop.ini") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="CONFIG.SYS") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="RECYCLER") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="bootmgr") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="programdata") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="appdata") returned 1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="program files") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="program files (x86)") returned -1 [0074.020] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="microsoft") returned 1 [0074.021] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="sophos") returned -1 [0074.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0074.021] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.021] PathFindExtensionW (pszPath="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx") returned=".evtx" [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.021] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.021] lstrcmpiW (lpString1="Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0074.021] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.022] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0074.022] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.022] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0074.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0074.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0074.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.023] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.023] GetTickCount () returned 0x1153d44 [0074.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0074.023] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0074.023] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.023] SetLastError (dwErrCode=0x0) [0074.023] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.024] GetLastError () returned 0x0 [0074.024] GetLastError () returned 0x0 [0074.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.024] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.024] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x271c4774, dwHighDateTime=0x1d5f971)) [0074.024] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.024] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.024] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.024] GetProcessHeap () returned 0xbc0000 [0074.024] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbeb608 [0074.024] GetSystemDefaultLangID () returned 0xbd0409 [0074.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.025] ReadFile (in: hFile=0x260, lpBuffer=0xbeb608, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.065] WriteFile (in: hFile=0x260, lpBuffer=0xbeb608*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbeb608*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.065] GetProcessHeap () returned 0xbc0000 [0074.065] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbeb608 | out: hHeap=0xbc0000) returned 1 [0074.065] CloseHandle (hObject=0x260) returned 1 [0074.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0074.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0074.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0074.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0074.068] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-application-experience%4program-compatibility-assistant.evtx.nefilim")) returned 1 [0074.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0074.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.069] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9206ac5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9206ac5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9c0f529, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", cAlternateFileName="MICROS~3.EVT")) returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2=".") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="..") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="...") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="windows") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="rsa") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="ntldr") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="IO.SYS") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="boot.ini") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="desktop.ini") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="RECYCLER") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="bootmgr") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="programdata") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="appdata") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="program files") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="program files (x86)") returned -1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="microsoft") returned 1 [0074.069] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="sophos") returned -1 [0074.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0074.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.069] PathFindExtensionW (pszPath="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx") returned=".evtx" [0074.069] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.069] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.069] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.070] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.070] lstrcmpiW (lpString1="Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0074.070] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.071] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0074.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0074.071] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.071] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0074.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0074.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0074.071] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.072] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.073] GetTickCount () returned 0x1153d73 [0074.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680560 [0074.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0074.073] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.073] SetLastError (dwErrCode=0x0) [0074.073] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.074] GetLastError () returned 0x0 [0074.074] GetLastError () returned 0x0 [0074.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.074] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.074] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.074] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27236ec1, dwHighDateTime=0x1d5f971)) [0074.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0074.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0074.074] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.074] GetProcessHeap () returned 0xbc0000 [0074.074] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2ad0020 [0074.077] GetSystemDefaultLangID () returned 0xbd0409 [0074.077] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.077] ReadFile (in: hFile=0x260, lpBuffer=0x2ad0020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ad0020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0074.246] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.246] WriteFile (in: hFile=0x260, lpBuffer=0x2ad0020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ad0020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0074.252] GetProcessHeap () returned 0xbc0000 [0074.252] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ad0020 | out: hHeap=0xbc0000) returned 1 [0074.257] CloseHandle (hObject=0x260) returned 1 [0074.277] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0074.277] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0074.277] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.277] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0074.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0074.277] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applicationresourcemanagementsystem%4operational.evtx.nefilim")) returned 1 [0074.316] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0074.316] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.316] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", cAlternateFileName="MICROS~4.EVT")) returned 1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2=".") returned 1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="..") returned 1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="...") returned 1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="windows") returned -1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="rsa") returned -1 [0074.316] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="NTDETECT.COM") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="ntldr") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="MSDOS.SYS") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="IO.SYS") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="boot.ini") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="ntuser.dat") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="desktop.ini") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="CONFIG.SYS") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="RECYCLER") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="bootmgr") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="programdata") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="appdata") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="program files") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="program files (x86)") returned -1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="microsoft") returned 1 [0074.317] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="sophos") returned -1 [0074.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0074.317] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.317] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4EXE and DLL.evtx") returned=".evtx" [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.317] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.318] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.318] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4EXE and DLL.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0074.318] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.318] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0074.319] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.319] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0074.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0074.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0074.319] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.321] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.322] GetTickCount () returned 0x1153e7c [0074.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.322] SetLastError (dwErrCode=0x0) [0074.322] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.324] GetLastError () returned 0x0 [0074.324] GetLastError () returned 0x0 [0074.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.324] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.324] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.324] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x274bb24a, dwHighDateTime=0x1d5f971)) [0074.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.324] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.324] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.324] GetProcessHeap () returned 0xbc0000 [0074.324] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.325] GetSystemDefaultLangID () returned 0xbd0409 [0074.325] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.325] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.333] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.333] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.333] GetProcessHeap () returned 0xbc0000 [0074.333] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.333] CloseHandle (hObject=0x260) returned 1 [0074.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0074.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0074.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0074.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0074.336] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4exe and dll.evtx.nefilim")) returned 1 [0074.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.341] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4169a7a, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4169a7a, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4MSI and Script.evtx", cAlternateFileName="MI2EEA~1.EVT")) returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2=".") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="..") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="...") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="windows") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="rsa") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="NTDETECT.COM") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="ntldr") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="MSDOS.SYS") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="IO.SYS") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="boot.ini") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="ntuser.dat") returned -1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="desktop.ini") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="CONFIG.SYS") returned 1 [0074.341] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="RECYCLER") returned -1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="bootmgr") returned 1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="programdata") returned -1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="appdata") returned 1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="program files") returned -1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="program files (x86)") returned -1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="microsoft") returned 1 [0074.342] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="sophos") returned -1 [0074.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0074.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.342] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4MSI and Script.evtx") returned=".evtx" [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.342] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.343] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.343] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.343] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.343] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4MSI and Script.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0074.343] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.343] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0074.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.343] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0074.343] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0074.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0074.343] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.344] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.345] GetTickCount () returned 0x1153e8c [0074.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.345] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.345] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.346] SetLastError (dwErrCode=0x0) [0074.346] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.346] GetLastError () returned 0x0 [0074.346] GetLastError () returned 0x0 [0074.346] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.347] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.347] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.347] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x274e78d0, dwHighDateTime=0x1d5f971)) [0074.347] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.347] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.347] GetProcessHeap () returned 0xbc0000 [0074.347] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.347] GetSystemDefaultLangID () returned 0xbd0409 [0074.347] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.347] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.352] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.352] GetProcessHeap () returned 0xbc0000 [0074.352] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.352] CloseHandle (hObject=0x260) returned 1 [0074.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0074.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0074.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df40 | out: hHeap=0x2680000) returned 1 [0074.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.354] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0074.354] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4MSI and Script.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4msi and script.evtx.nefilim")) returned 1 [0074.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.355] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", cAlternateFileName="MI07E1~1.EVT")) returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2=".") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="..") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="...") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="windows") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="rsa") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="NTDETECT.COM") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="ntldr") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="MSDOS.SYS") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="IO.SYS") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="boot.ini") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="ntuser.dat") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="desktop.ini") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="CONFIG.SYS") returned 1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="RECYCLER") returned -1 [0074.355] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="bootmgr") returned 1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="programdata") returned -1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="appdata") returned 1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="program files") returned -1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="program files (x86)") returned -1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="microsoft") returned 1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="sophos") returned -1 [0074.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0074.356] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.356] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx") returned=".evtx" [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.356] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.356] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0074.356] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.356] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0074.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0074.357] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0074.357] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0074.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0074.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0074.357] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.357] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.491] GetTickCount () returned 0x1153f28 [0074.491] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.491] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.491] SetLastError (dwErrCode=0x0) [0074.491] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.492] GetLastError () returned 0x0 [0074.492] GetLastError () returned 0x0 [0074.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.492] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.492] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.492] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2763f453, dwHighDateTime=0x1d5f971)) [0074.492] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.492] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.492] GetProcessHeap () returned 0xbc0000 [0074.492] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.493] GetSystemDefaultLangID () returned 0xbd0409 [0074.493] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.493] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.499] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.499] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.499] GetProcessHeap () returned 0xbc0000 [0074.499] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.499] CloseHandle (hObject=0x260) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0074.502] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0074.502] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-deployment.evtx.nefilim")) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.502] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd418fcc3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd418fcc3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", cAlternateFileName="MI8196~1.EVT")) returned 1 [0074.502] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2=".") returned 1 [0074.502] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="..") returned 1 [0074.502] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="...") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="windows") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="rsa") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="NTDETECT.COM") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="ntldr") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="MSDOS.SYS") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="IO.SYS") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="boot.ini") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="ntuser.dat") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="desktop.ini") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="CONFIG.SYS") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="RECYCLER") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="bootmgr") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="programdata") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="appdata") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="program files") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="program files (x86)") returned -1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="microsoft") returned 1 [0074.503] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="sophos") returned -1 [0074.503] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0074.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.503] PathFindExtensionW (pszPath="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx") returned=".evtx" [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.503] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.504] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.504] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.504] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.504] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.504] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.504] lstrcmpiW (lpString1="Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0074.504] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.504] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0074.504] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.504] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0074.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0074.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0074.504] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.505] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.507] GetTickCount () returned 0x1153f28 [0074.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.507] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.507] SetLastError (dwErrCode=0x0) [0074.507] WriteFile (in: hFile=0x260, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.508] GetLastError () returned 0x0 [0074.508] GetLastError () returned 0x0 [0074.508] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.508] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.509] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.509] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x276655df, dwHighDateTime=0x1d5f971)) [0074.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.509] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.509] GetProcessHeap () returned 0xbc0000 [0074.509] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.510] GetSystemDefaultLangID () returned 0xbd0409 [0074.510] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.510] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.515] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.515] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.515] GetProcessHeap () returned 0xbc0000 [0074.515] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.515] CloseHandle (hObject=0x260) returned 1 [0074.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0074.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0074.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0074.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0074.517] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-applocker%4packaged app-execution.evtx.nefilim")) returned 1 [0074.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.518] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd41b5f2d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd41b5f2d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", cAlternateFileName="MIE36C~1.EVT")) returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2=".") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="..") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="...") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="windows") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="rsa") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="ntldr") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="IO.SYS") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="boot.ini") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="desktop.ini") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="RECYCLER") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="bootmgr") returned 1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="programdata") returned -1 [0074.518] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="appdata") returned 1 [0074.519] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="program files") returned -1 [0074.519] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="program files (x86)") returned -1 [0074.519] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="microsoft") returned 1 [0074.519] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="sophos") returned -1 [0074.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0074.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.519] PathFindExtensionW (pszPath="Microsoft-Windows-AppModel-Runtime%4Admin.evtx") returned=".evtx" [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.519] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.519] lstrcmpiW (lpString1="Microsoft-Windows-AppModel-Runtime%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0074.519] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.519] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0074.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.519] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0074.519] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0074.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0074.520] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.521] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.522] GetTickCount () returned 0x1153f38 [0074.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.522] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.522] SetLastError (dwErrCode=0x0) [0074.522] WriteFile (in: hFile=0x260, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.523] GetLastError () returned 0x0 [0074.523] GetLastError () returned 0x0 [0074.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.523] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.523] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2768b584, dwHighDateTime=0x1d5f971)) [0074.523] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.523] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.523] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.523] GetProcessHeap () returned 0xbc0000 [0074.523] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.523] GetSystemDefaultLangID () returned 0xbd0409 [0074.523] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.523] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.583] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.583] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.584] GetProcessHeap () returned 0xbc0000 [0074.584] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.584] CloseHandle (hObject=0x260) returned 1 [0074.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0074.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0074.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0074.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0074.588] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appmodel-runtime%4admin.evtx.nefilim")) returned 1 [0074.589] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.589] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.590] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd389efbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd389efbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppReadiness%4Admin.evtx", cAlternateFileName="MIC5CB~1.EVT")) returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2=".") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="..") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="...") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="windows") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="rsa") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="ntldr") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="IO.SYS") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="boot.ini") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="desktop.ini") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="RECYCLER") returned -1 [0074.590] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="bootmgr") returned 1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="programdata") returned -1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="appdata") returned 1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="program files") returned -1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="program files (x86)") returned -1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="microsoft") returned 1 [0074.591] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="sophos") returned -1 [0074.591] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0074.591] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.591] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Admin.evtx") returned=".evtx" [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.591] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.592] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.592] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0074.592] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.592] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0074.592] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.592] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0074.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0074.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0074.593] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.594] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.595] GetTickCount () returned 0x1153f86 [0074.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.595] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.595] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.595] SetLastError (dwErrCode=0x0) [0074.595] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.596] GetLastError () returned 0x0 [0074.596] GetLastError () returned 0x0 [0074.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.596] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.596] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27731bd0, dwHighDateTime=0x1d5f971)) [0074.597] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.597] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.597] GetProcessHeap () returned 0xbc0000 [0074.597] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.597] GetSystemDefaultLangID () returned 0xbd0409 [0074.597] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.597] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.603] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.603] GetProcessHeap () returned 0xbc0000 [0074.603] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.603] CloseHandle (hObject=0x260) returned 1 [0074.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0074.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0074.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0074.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0074.606] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4admin.evtx.nefilim")) returned 1 [0074.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0074.606] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd38c5212, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd38c5212, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppReadiness%4Operational.evtx", cAlternateFileName="MIF8AA~1.EVT")) returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2=".") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="..") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="...") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="windows") returned -1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="rsa") returned -1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="ntldr") returned -1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="IO.SYS") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="boot.ini") returned 1 [0074.606] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="desktop.ini") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="RECYCLER") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="bootmgr") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="programdata") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="appdata") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="program files") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="program files (x86)") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="microsoft") returned 1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="sophos") returned -1 [0074.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0074.607] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.607] PathFindExtensionW (pszPath="Microsoft-Windows-AppReadiness%4Operational.evtx") returned=".evtx" [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.607] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.607] lstrcmpiW (lpString1="Microsoft-Windows-AppReadiness%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0074.607] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.609] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1118208) returned 1 [0074.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0074.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.610] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0074.610] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0074.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0074.610] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.611] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.612] GetTickCount () returned 0x1153f96 [0074.612] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.612] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.612] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.612] SetLastError (dwErrCode=0x0) [0074.612] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.613] GetLastError () returned 0x0 [0074.613] GetLastError () returned 0x0 [0074.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.613] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.613] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.613] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2777e2c5, dwHighDateTime=0x1d5f971)) [0074.613] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.614] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.614] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.614] GetProcessHeap () returned 0xbc0000 [0074.614] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x111000) returned 0x2ad4020 [0074.618] GetSystemDefaultLangID () returned 0xbd0409 [0074.618] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.618] ReadFile (in: hFile=0x260, lpBuffer=0x2ad4020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ad4020*, lpNumberOfBytesRead=0x25bf15c*=0x111000, lpOverlapped=0x0) returned 1 [0074.842] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.842] WriteFile (in: hFile=0x260, lpBuffer=0x2ad4020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ad4020*, lpNumberOfBytesWritten=0x25bf150*=0x111000, lpOverlapped=0x0) returned 1 [0074.845] GetProcessHeap () returned 0xbc0000 [0074.845] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ad4020 | out: hHeap=0xbc0000) returned 1 [0074.897] CloseHandle (hObject=0x260) returned 1 [0074.914] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0074.914] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0074.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0074.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.915] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0074.915] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppReadiness%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appreadiness%4operational.evtx.nefilim")) returned 1 [0074.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.915] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4143825, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4143825, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeployment%4Operational.evtx", cAlternateFileName="MI34FE~1.EVT")) returned 1 [0074.915] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2=".") returned 1 [0074.915] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="..") returned 1 [0074.915] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="...") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="windows") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="rsa") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="ntldr") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="IO.SYS") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="boot.ini") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="desktop.ini") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="RECYCLER") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="bootmgr") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="programdata") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="appdata") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="program files") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="program files (x86)") returned -1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="microsoft") returned 1 [0074.916] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="sophos") returned -1 [0074.916] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0074.916] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.916] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeployment%4Operational.evtx") returned=".evtx" [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.916] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.917] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.917] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.917] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.917] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.917] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeployment%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0074.917] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.917] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0074.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0074.917] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.917] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0074.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0074.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0074.917] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.918] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.919] GetTickCount () returned 0x11540ce [0074.919] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.919] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.919] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.919] SetLastError (dwErrCode=0x0) [0074.919] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.920] GetLastError () returned 0x0 [0074.920] GetLastError () returned 0x0 [0074.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.920] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.921] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27a5d3ec, dwHighDateTime=0x1d5f971)) [0074.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.921] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.921] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.921] GetProcessHeap () returned 0xbc0000 [0074.921] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0074.921] GetSystemDefaultLangID () returned 0xbd0409 [0074.921] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.921] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0074.925] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.925] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0074.926] GetProcessHeap () returned 0xbc0000 [0074.926] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0074.926] CloseHandle (hObject=0x260) returned 1 [0074.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0074.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0074.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0074.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0074.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0074.928] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeployment%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeployment%4operational.evtx.nefilim")) returned 1 [0074.929] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0074.929] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0074.929] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x211000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", cAlternateFileName="MIA24C~1.EVT")) returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2=".") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="..") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="...") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="windows") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="rsa") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="ntldr") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="IO.SYS") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="boot.ini") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="desktop.ini") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="RECYCLER") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="bootmgr") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="programdata") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="appdata") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="program files") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="program files (x86)") returned -1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="microsoft") returned 1 [0074.929] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="sophos") returned -1 [0074.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0074.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0074.930] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx") returned=".evtx" [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0074.930] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0074.930] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0074.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0074.930] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0074.930] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=2166784) returned 1 [0074.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0074.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0074.931] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0074.931] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0074.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0074.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0074.931] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0074.931] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0074.931] GetTickCount () returned 0x11540de [0074.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0074.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.931] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.931] SetLastError (dwErrCode=0x0) [0074.931] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.932] GetLastError () returned 0x0 [0074.932] GetLastError () returned 0x0 [0074.932] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.932] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0074.933] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x211200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.933] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27a791e5, dwHighDateTime=0x1d5f971)) [0074.933] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0074.933] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0074.933] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0074.933] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0x25c9020 [0074.934] GetCurrentProcess () returned 0xffffffff [0074.934] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0074.934] ReadFile (in: hFile=0x260, lpBuffer=0x25c9020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x25c9020*, lpNumberOfBytesRead=0x25bf15c*=0x927c0, lpOverlapped=0x0) returned 1 [0075.025] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.026] WriteFile (in: hFile=0x260, lpBuffer=0x25c9020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x25c9020*, lpNumberOfBytesWritten=0x25bf150*=0x927c0, lpOverlapped=0x0) returned 1 [0075.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x25c9020 | out: hHeap=0x2680000) returned 1 [0075.030] CloseHandle (hObject=0x260) returned 1 [0075.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0075.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0075.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0075.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0075.176] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4operational.evtx.nefilim")) returned 1 [0075.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.179] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5af3554f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5af3554f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", cAlternateFileName="MIDBEC~1.EVT")) returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2=".") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="..") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="...") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="windows") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="rsa") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="NTDETECT.COM") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="ntldr") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="MSDOS.SYS") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="IO.SYS") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="boot.ini") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="ntuser.dat") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="desktop.ini") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="CONFIG.SYS") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="RECYCLER") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="bootmgr") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="programdata") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="appdata") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="program files") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="program files (x86)") returned -1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="microsoft") returned 1 [0075.180] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="sophos") returned -1 [0075.180] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0075.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.180] PathFindExtensionW (pszPath="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx") returned=".evtx" [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.180] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.181] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.181] lstrcmpiW (lpString1="Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0075.181] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.182] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0075.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0075.183] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0075.183] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0075.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0075.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0075.183] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.184] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.185] GetTickCount () returned 0x11541d8 [0075.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.185] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.185] SetLastError (dwErrCode=0x0) [0075.185] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.186] GetLastError () returned 0x0 [0075.186] GetLastError () returned 0x0 [0075.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.186] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.186] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27cdb65c, dwHighDateTime=0x1d5f971)) [0075.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.187] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.187] GetProcessHeap () returned 0xbc0000 [0075.187] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.187] GetSystemDefaultLangID () returned 0xbd0409 [0075.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.187] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.192] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.192] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.193] GetProcessHeap () returned 0xbc0000 [0075.193] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.193] CloseHandle (hObject=0x260) returned 1 [0075.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0075.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0075.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0075.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0075.195] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxdeploymentserver%4restricted.evtx.nefilim")) returned 1 [0075.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.196] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85798667, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x85798667, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-AppxPackaging%4Operational.evtx", cAlternateFileName="MI54F1~1.EVT")) returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2=".") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="..") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="...") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="windows") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="rsa") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="ntldr") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="programdata") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="appdata") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="program files") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="microsoft") returned 1 [0075.196] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="sophos") returned -1 [0075.196] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0075.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.196] PathFindExtensionW (pszPath="Microsoft-Windows-AppxPackaging%4Operational.evtx") returned=".evtx" [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.197] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.197] lstrcmpiW (lpString1="Microsoft-Windows-AppxPackaging%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0075.197] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.197] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0075.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0075.197] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0075.197] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0075.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0075.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0075.197] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.198] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.199] GetTickCount () returned 0x11541e7 [0075.199] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.199] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.199] SetLastError (dwErrCode=0x0) [0075.199] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.200] GetLastError () returned 0x0 [0075.200] GetLastError () returned 0x0 [0075.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.200] WriteFile (in: hFile=0x260, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.200] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x27d0186c, dwHighDateTime=0x1d5f971)) [0075.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.200] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.200] GetProcessHeap () returned 0xbc0000 [0075.200] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.201] GetSystemDefaultLangID () returned 0xbd0409 [0075.201] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.201] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.206] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.206] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.206] GetProcessHeap () returned 0xbc0000 [0075.206] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.207] CloseHandle (hObject=0x260) returned 1 [0075.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0075.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0075.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0075.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df40 | out: hHeap=0x2680000) returned 1 [0075.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0075.350] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-AppxPackaging%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-appxpackaging%4operational.evtx.nefilim")) returned 1 [0075.351] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.351] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.351] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74d25ab, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74d25ab, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", cAlternateFileName="MI111F~1.EVT")) returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2=".") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="..") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="...") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="windows") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="rsa") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="ntldr") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="programdata") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="appdata") returned 1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="program files") returned -1 [0075.351] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.352] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="microsoft") returned 1 [0075.352] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="sophos") returned -1 [0075.352] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0075.352] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.352] PathFindExtensionW (pszPath="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx") returned=".evtx" [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.352] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.352] lstrcmpiW (lpString1="Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.352] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0075.352] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.567] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0075.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0075.567] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0075.567] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0075.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0075.567] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0075.567] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.569] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.570] GetTickCount () returned 0x115435e [0075.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680560 [0075.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0075.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.570] SetLastError (dwErrCode=0x0) [0075.570] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.571] GetLastError () returned 0x0 [0075.571] GetLastError () returned 0x0 [0075.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.571] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.571] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x280950e1, dwHighDateTime=0x1d5f971)) [0075.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0075.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0075.571] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.572] GetProcessHeap () returned 0xbc0000 [0075.572] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.572] GetSystemDefaultLangID () returned 0xbd0409 [0075.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.572] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.581] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.581] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.582] GetProcessHeap () returned 0xbc0000 [0075.582] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.582] CloseHandle (hObject=0x260) returned 1 [0075.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0075.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0075.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0075.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0075.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0075.584] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-backgroundtaskinfrastructure%4operational.evtx.nefilim")) returned 1 [0075.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0075.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.585] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1f96ca4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe1f96ca4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Bits-Client%4Operational.evtx", cAlternateFileName="MI9465~1.EVT")) returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2=".") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="..") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="...") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="windows") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="rsa") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="ntldr") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="programdata") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="appdata") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="program files") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="microsoft") returned 1 [0075.585] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="sophos") returned -1 [0075.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0075.586] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.586] PathFindExtensionW (pszPath="Microsoft-Windows-Bits-Client%4Operational.evtx") returned=".evtx" [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.586] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.586] lstrcmpiW (lpString1="Microsoft-Windows-Bits-Client%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0075.586] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.586] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0075.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0075.586] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0075.586] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0075.587] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0075.587] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0075.587] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.587] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.587] GetTickCount () returned 0x115436e [0075.587] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.587] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.587] SetLastError (dwErrCode=0x0) [0075.587] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.588] GetLastError () returned 0x0 [0075.588] GetLastError () returned 0x0 [0075.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.588] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.588] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.588] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x280bb311, dwHighDateTime=0x1d5f971)) [0075.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.588] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.589] GetProcessHeap () returned 0xbc0000 [0075.589] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.589] GetSystemDefaultLangID () returned 0xbd0409 [0075.589] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.589] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.702] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.702] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.703] GetProcessHeap () returned 0xbc0000 [0075.703] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.703] CloseHandle (hObject=0x260) returned 1 [0075.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0075.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0075.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0075.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0075.705] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0075.705] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Bits-Client%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-bits-client%4operational.evtx.nefilim")) returned 1 [0075.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.706] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8783aa15, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8783aa15, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-CodeIntegrity%4Operational.evtx", cAlternateFileName="MI03A7~1.EVT")) returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2=".") returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="..") returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="...") returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="windows") returned -1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="rsa") returned -1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="ntldr") returned -1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.706] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="programdata") returned -1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="appdata") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="program files") returned -1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="microsoft") returned 1 [0075.707] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="sophos") returned -1 [0075.707] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0075.707] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.707] PathFindExtensionW (pszPath="Microsoft-Windows-CodeIntegrity%4Operational.evtx") returned=".evtx" [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.707] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.708] lstrcmpiW (lpString1="Microsoft-Windows-CodeIntegrity%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0075.708] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.708] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0075.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0075.708] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0075.708] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0075.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0075.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0075.708] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.709] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.710] GetTickCount () returned 0x11543eb [0075.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.710] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.710] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.710] SetLastError (dwErrCode=0x0) [0075.710] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.711] GetLastError () returned 0x0 [0075.711] GetLastError () returned 0x0 [0075.711] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.711] WriteFile (in: hFile=0x260, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.712] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x281ec6dd, dwHighDateTime=0x1d5f971)) [0075.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.712] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.712] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.712] GetProcessHeap () returned 0xbc0000 [0075.712] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.712] GetSystemDefaultLangID () returned 0xbd0409 [0075.712] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.712] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.826] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.827] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.827] GetProcessHeap () returned 0xbc0000 [0075.827] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.827] CloseHandle (hObject=0x260) returned 1 [0075.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0075.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0075.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0075.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0075.829] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CodeIntegrity%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-codeintegrity%4operational.evtx.nefilim")) returned 1 [0075.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.830] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3c71c5, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3c71c5, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", cAlternateFileName="MI5CA2~1.EVT")) returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2=".") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="..") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="...") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="windows") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="rsa") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="ntldr") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.830] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="programdata") returned -1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="appdata") returned 1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="program files") returned -1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="microsoft") returned 1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="sophos") returned -1 [0075.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0075.831] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.831] PathFindExtensionW (pszPath="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx") returned=".evtx" [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.831] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.831] lstrcmpiW (lpString1="Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0075.831] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.831] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0075.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0075.832] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0075.832] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0075.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0075.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0075.832] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.832] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.832] GetTickCount () returned 0x1154468 [0075.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.832] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.832] SetLastError (dwErrCode=0x0) [0075.832] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.833] GetLastError () returned 0x0 [0075.833] GetLastError () returned 0x0 [0075.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.833] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.833] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.833] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2831d8a6, dwHighDateTime=0x1d5f971)) [0075.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.834] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.834] GetProcessHeap () returned 0xbc0000 [0075.834] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.834] GetSystemDefaultLangID () returned 0xbd0409 [0075.834] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.834] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.897] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.897] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.898] GetProcessHeap () returned 0xbc0000 [0075.898] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.898] CloseHandle (hObject=0x260) returned 1 [0075.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0075.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0075.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0075.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0075.903] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-coresystem-smsrouter-events%4operational.evtx.nefilim")) returned 1 [0075.904] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.904] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.904] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", cAlternateFileName="MI5FD1~1.EVT")) returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2=".") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="..") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="...") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="windows") returned -1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="rsa") returned -1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="NTDETECT.COM") returned -1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="ntldr") returned -1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="MSDOS.SYS") returned -1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="IO.SYS") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="boot.ini") returned 1 [0075.904] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="ntuser.dat") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="desktop.ini") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="CONFIG.SYS") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="RECYCLER") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="bootmgr") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="programdata") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="appdata") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="program files") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="program files (x86)") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="microsoft") returned 1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="sophos") returned -1 [0075.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0075.905] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.905] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx") returned=".evtx" [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.905] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.905] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0075.905] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.906] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0075.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0075.906] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0075.906] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0075.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0075.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0075.906] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.907] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.908] GetTickCount () returned 0x11544a6 [0075.908] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.908] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.908] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.908] SetLastError (dwErrCode=0x0) [0075.908] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.909] GetLastError () returned 0x0 [0075.909] GetLastError () returned 0x0 [0075.909] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.909] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.910] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.910] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x283b61f3, dwHighDateTime=0x1d5f971)) [0075.910] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.910] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.910] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.910] GetProcessHeap () returned 0xbc0000 [0075.910] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.910] GetSystemDefaultLangID () returned 0xbd0409 [0075.910] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.910] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.916] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.916] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.916] GetProcessHeap () returned 0xbc0000 [0075.916] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.916] CloseHandle (hObject=0x260) returned 1 [0075.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0075.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0075.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0075.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0075.918] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4backupkeysvc.evtx.nefilim")) returned 1 [0075.919] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.919] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.919] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", cAlternateFileName="MI8BDF~1.EVT")) returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2=".") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="..") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="...") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="windows") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="rsa") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="ntldr") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="boot.ini") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="bootmgr") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="programdata") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="appdata") returned 1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="program files") returned -1 [0075.919] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0075.920] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="microsoft") returned 1 [0075.920] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="sophos") returned -1 [0075.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0075.920] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.920] PathFindExtensionW (pszPath="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx") returned=".evtx" [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.920] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.920] lstrcmpiW (lpString1="Microsoft-Windows-Crypto-DPAPI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0075.920] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.921] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0075.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0075.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0075.921] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0075.921] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0075.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0075.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0075.921] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.921] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.923] GetTickCount () returned 0x11544b6 [0075.923] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0075.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.923] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.923] SetLastError (dwErrCode=0x0) [0075.923] WriteFile (in: hFile=0x260, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.924] GetLastError () returned 0x0 [0075.924] GetLastError () returned 0x0 [0075.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.924] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.924] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.924] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x283dc722, dwHighDateTime=0x1d5f971)) [0075.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.924] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.924] GetProcessHeap () returned 0xbc0000 [0075.924] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0075.925] GetSystemDefaultLangID () returned 0xbd0409 [0075.925] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.925] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0075.931] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.932] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0075.932] GetProcessHeap () returned 0xbc0000 [0075.932] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0075.932] CloseHandle (hObject=0x260) returned 1 [0075.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0075.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0075.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0075.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0075.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0075.935] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-crypto-dpapi%4operational.evtx.nefilim")) returned 1 [0075.935] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0075.935] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0075.935] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8c3ed420, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x8c3ed420, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", cAlternateFileName="MIAEBD~1.EVT")) returned 1 [0075.935] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2=".") returned 1 [0075.935] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="..") returned 1 [0075.935] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="...") returned 1 [0075.935] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="windows") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="rsa") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="ntldr") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="IO.SYS") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="boot.ini") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="desktop.ini") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="RECYCLER") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="bootmgr") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="programdata") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="appdata") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="program files") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="program files (x86)") returned -1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="microsoft") returned 1 [0075.936] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="sophos") returned -1 [0075.936] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0075.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0075.936] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx") returned=".evtx" [0075.936] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0075.936] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0075.936] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0075.936] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0075.937] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0075.937] lstrcmpiW (lpString1="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0075.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0075.937] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0075.937] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0075.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0075.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0075.937] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0075.937] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0075.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0075.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0075.938] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0075.939] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0075.941] GetTickCount () returned 0x11544c6 [0075.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0075.941] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0075.941] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.941] SetLastError (dwErrCode=0x0) [0075.941] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.983] GetLastError () returned 0x0 [0075.983] GetLastError () returned 0x0 [0075.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.983] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0075.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.983] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28474fd9, dwHighDateTime=0x1d5f971)) [0075.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0075.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0075.984] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0075.984] GetProcessHeap () returned 0xbc0000 [0075.984] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2ad8020 [0075.987] GetSystemDefaultLangID () returned 0xbd0409 [0075.987] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0075.987] ReadFile (in: hFile=0x260, lpBuffer=0x2ad8020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ad8020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0076.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.099] WriteFile (in: hFile=0x260, lpBuffer=0x2ad8020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ad8020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0076.102] GetProcessHeap () returned 0xbc0000 [0076.102] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ad8020 | out: hHeap=0xbc0000) returned 1 [0076.108] CloseHandle (hObject=0x260) returned 1 [0076.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0076.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0076.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0076.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0076.179] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicemanagement-enterprise-diagnostics-provider%4admin.evtx.nefilim")) returned 1 [0076.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0076.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.180] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cef47f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cef47f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", cAlternateFileName="MIA726~1.EVT")) returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2=".") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="..") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="...") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="windows") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="rsa") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="ntldr") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="programdata") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="appdata") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="program files") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="microsoft") returned 1 [0076.180] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="sophos") returned -1 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.181] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Admin.evtx") returned=".evtx" [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.181] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.181] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.181] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.181] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0076.181] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.181] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0076.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.182] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.182] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.183] GetTickCount () returned 0x11545c0 [0076.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.183] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.183] SetLastError (dwErrCode=0x0) [0076.183] WriteFile (in: hFile=0x260, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.184] GetLastError () returned 0x0 [0076.184] GetLastError () returned 0x0 [0076.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.184] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.184] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.184] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2866c47d, dwHighDateTime=0x1d5f971)) [0076.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.184] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.184] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.184] GetProcessHeap () returned 0xbc0000 [0076.185] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.185] GetSystemDefaultLangID () returned 0xbd0409 [0076.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.185] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.190] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.190] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.191] GetProcessHeap () returned 0xbc0000 [0076.191] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.191] CloseHandle (hObject=0x260) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0076.193] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.193] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4admin.evtx.nefilim")) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.193] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50cc9231, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50cc9231, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", cAlternateFileName="MI08CB~1.EVT")) returned 1 [0076.193] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2=".") returned 1 [0076.193] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="..") returned 1 [0076.193] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="...") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="windows") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="rsa") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="ntldr") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="programdata") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="appdata") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="program files") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="microsoft") returned 1 [0076.194] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="sophos") returned -1 [0076.194] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.194] PathFindExtensionW (pszPath="Microsoft-Windows-DeviceSetupManager%4Operational.evtx") returned=".evtx" [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.194] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.195] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.195] lstrcmpiW (lpString1="Microsoft-Windows-DeviceSetupManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.195] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.195] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.195] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.195] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0076.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.195] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.196] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.198] GetTickCount () returned 0x11545cf [0076.198] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.198] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.198] SetLastError (dwErrCode=0x0) [0076.198] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.199] GetLastError () returned 0x0 [0076.199] GetLastError () returned 0x0 [0076.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.199] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.199] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2868aeca, dwHighDateTime=0x1d5f971)) [0076.199] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.199] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.199] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.199] GetProcessHeap () returned 0xbc0000 [0076.199] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.199] GetSystemDefaultLangID () returned 0xbd0409 [0076.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.199] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.242] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.242] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.243] GetProcessHeap () returned 0xbc0000 [0076.243] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.243] CloseHandle (hObject=0x260) returned 1 [0076.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0076.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0076.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0076.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.245] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-devicesetupmanager%4operational.evtx.nefilim")) returned 1 [0076.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.246] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc967f17e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc967f17e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Dhcp-Client%4Admin.evtx", cAlternateFileName="MI8270~1.EVT")) returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2=".") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="..") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="...") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="windows") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="rsa") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="ntldr") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="IO.SYS") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="boot.ini") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="desktop.ini") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="RECYCLER") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="bootmgr") returned 1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="programdata") returned -1 [0076.246] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="appdata") returned 1 [0076.247] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="program files") returned -1 [0076.247] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="program files (x86)") returned -1 [0076.247] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="microsoft") returned 1 [0076.247] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="sophos") returned -1 [0076.247] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0076.247] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.247] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcp-Client%4Admin.evtx") returned=".evtx" [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.247] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.247] lstrcmpiW (lpString1="Microsoft-Windows-Dhcp-Client%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.247] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0076.247] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.247] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0076.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.248] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0076.248] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0076.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.248] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.248] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.249] GetTickCount () returned 0x11545fe [0076.249] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.249] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.249] SetLastError (dwErrCode=0x0) [0076.249] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.250] GetLastError () returned 0x0 [0076.250] GetLastError () returned 0x0 [0076.250] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.250] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.250] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.250] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x286fd722, dwHighDateTime=0x1d5f971)) [0076.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.251] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.251] GetProcessHeap () returned 0xbc0000 [0076.251] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.251] GetSystemDefaultLangID () returned 0xbd0409 [0076.251] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.252] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.257] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.257] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.257] GetProcessHeap () returned 0xbc0000 [0076.257] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.257] CloseHandle (hObject=0x260) returned 1 [0076.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0076.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0076.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0076.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0076.259] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcp-Client%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-dhcp-client%4admin.evtx.nefilim")) returned 1 [0076.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.260] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc96cb64b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc96cb64b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", cAlternateFileName="MIEBFF~1.EVT")) returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2=".") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="..") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="...") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="windows") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="rsa") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="ntldr") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="IO.SYS") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="boot.ini") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="desktop.ini") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="RECYCLER") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="bootmgr") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="programdata") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="appdata") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="program files") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="program files (x86)") returned -1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="microsoft") returned 1 [0076.260] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="sophos") returned -1 [0076.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0076.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.260] PathFindExtensionW (pszPath="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx") returned=".evtx" [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.261] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.261] lstrcmpiW (lpString1="Microsoft-Windows-Dhcpv6-Client%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0076.261] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.261] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0076.261] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.261] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0076.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0076.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0076.262] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.263] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.265] GetTickCount () returned 0x115460e [0076.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.265] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.265] SetLastError (dwErrCode=0x0) [0076.265] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.266] GetLastError () returned 0x0 [0076.266] GetLastError () returned 0x0 [0076.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.266] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.266] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.266] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x287237d6, dwHighDateTime=0x1d5f971)) [0076.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.266] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.266] GetProcessHeap () returned 0xbc0000 [0076.266] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.267] GetSystemDefaultLangID () returned 0xbd0409 [0076.267] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.267] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.272] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.272] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.273] GetProcessHeap () returned 0xbc0000 [0076.273] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.273] CloseHandle (hObject=0x260) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df40 | out: hHeap=0x2680000) returned 1 [0076.275] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.275] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-dhcpv6-client%4admin.evtx.nefilim")) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0076.275] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca64aa7b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca64aa7b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", cAlternateFileName="MI9F85~1.EVT")) returned 1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2=".") returned 1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="..") returned 1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="...") returned 1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="windows") returned -1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.275] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="rsa") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="ntldr") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="programdata") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="appdata") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="program files") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="microsoft") returned 1 [0076.276] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="sophos") returned -1 [0076.276] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.276] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx") returned=".evtx" [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.276] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.277] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.277] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.277] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.277] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.277] lstrcmpiW (lpString1="Microsoft-Windows-Diagnosis-DPS%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.277] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.317] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0076.318] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.318] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0076.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0076.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0076.318] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.319] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.321] GetTickCount () returned 0x115464c [0076.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.321] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.321] SetLastError (dwErrCode=0x0) [0076.321] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.322] GetLastError () returned 0x0 [0076.322] GetLastError () returned 0x0 [0076.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.322] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.322] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.322] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x287bc4a2, dwHighDateTime=0x1d5f971)) [0076.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.322] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.322] GetProcessHeap () returned 0xbc0000 [0076.322] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.323] GetSystemDefaultLangID () returned 0xbd0409 [0076.323] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.323] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.328] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.328] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.329] GetProcessHeap () returned 0xbc0000 [0076.329] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.329] CloseHandle (hObject=0x260) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0076.331] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.331] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-diagnosis-dps%4operational.evtx.nefilim")) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.331] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd9ec80, ftCreationTime.dwHighDateTime=0x1d1a04f, ftLastAccessTime.dwLowDateTime=0xfd9ec80, ftLastAccessTime.dwHighDateTime=0x1d1a04f, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", cAlternateFileName="MIBE3D~1.EVT")) returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2=".") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="..") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="...") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="windows") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="rsa") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="ntldr") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="programdata") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="appdata") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="program files") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="microsoft") returned 1 [0076.332] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="sophos") returned -1 [0076.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0076.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.333] PathFindExtensionW (pszPath="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx") returned=".evtx" [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.333] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.333] lstrcmpiW (lpString1="Microsoft-Windows-Diagnostics-Performance%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0076.333] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.333] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0076.333] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.333] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0076.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0076.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0076.333] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.335] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.336] GetTickCount () returned 0x115465c [0076.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.336] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.336] SetLastError (dwErrCode=0x0) [0076.336] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.338] GetLastError () returned 0x0 [0076.338] GetLastError () returned 0x0 [0076.339] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.339] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.339] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.339] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x287e24c0, dwHighDateTime=0x1d5f971)) [0076.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.339] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.339] GetProcessHeap () returned 0xbc0000 [0076.339] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.339] GetSystemDefaultLangID () returned 0xbd0409 [0076.339] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.339] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.344] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.344] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.344] GetProcessHeap () returned 0xbc0000 [0076.344] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.344] CloseHandle (hObject=0x260) returned 1 [0076.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0076.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0076.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0076.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0076.347] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0076.347] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-diagnostics-performance%4operational.evtx.nefilim")) returned 1 [0076.348] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.348] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.348] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9658ef3, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9658ef3, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-GroupPolicy%4Operational.evtx", cAlternateFileName="MIE38D~1.EVT")) returned 1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2=".") returned 1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="..") returned 1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="...") returned 1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="windows") returned -1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="rsa") returned -1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="ntldr") returned -1 [0076.348] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="programdata") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="appdata") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="program files") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="microsoft") returned 1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="sophos") returned -1 [0076.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0076.349] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.349] PathFindExtensionW (pszPath="Microsoft-Windows-GroupPolicy%4Operational.evtx") returned=".evtx" [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.349] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.349] lstrcmpiW (lpString1="Microsoft-Windows-GroupPolicy%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0076.350] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.350] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0076.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0076.350] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0076.350] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0076.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0076.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0076.350] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.350] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.350] GetTickCount () returned 0x115466c [0076.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.351] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.351] SetLastError (dwErrCode=0x0) [0076.351] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.352] GetLastError () returned 0x0 [0076.352] GetLastError () returned 0x0 [0076.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.352] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.352] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2880876e, dwHighDateTime=0x1d5f971)) [0076.352] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.352] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.352] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.352] GetProcessHeap () returned 0xbc0000 [0076.352] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.352] GetSystemDefaultLangID () returned 0xbd0409 [0076.352] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.352] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.548] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.548] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.549] GetProcessHeap () returned 0xbc0000 [0076.549] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.549] CloseHandle (hObject=0x260) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0076.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0076.552] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-GroupPolicy%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-grouppolicy%4operational.evtx.nefilim")) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.552] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.552] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9dcc480, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9dcc480, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-HotspotAuth%4Operational.evtx", cAlternateFileName="MIE386~1.EVT")) returned 1 [0076.552] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2=".") returned 1 [0076.552] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="..") returned 1 [0076.552] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="...") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="windows") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="rsa") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="ntldr") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="programdata") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="appdata") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="program files") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="microsoft") returned 1 [0076.553] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="sophos") returned -1 [0076.553] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0076.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.553] PathFindExtensionW (pszPath="Microsoft-Windows-HotspotAuth%4Operational.evtx") returned=".evtx" [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.553] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.554] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.554] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.554] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.554] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.554] lstrcmpiW (lpString1="Microsoft-Windows-HotspotAuth%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.554] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0076.554] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.555] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.555] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.555] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0076.555] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.555] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0076.555] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0076.555] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0076.555] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.556] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.557] GetTickCount () returned 0x1154737 [0076.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.557] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.557] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.557] SetLastError (dwErrCode=0x0) [0076.557] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.558] GetLastError () returned 0x0 [0076.558] GetLastError () returned 0x0 [0076.558] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.558] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.559] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x289f8b7b, dwHighDateTime=0x1d5f971)) [0076.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.559] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.559] GetProcessHeap () returned 0xbc0000 [0076.559] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.559] GetSystemDefaultLangID () returned 0xbd0409 [0076.559] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.559] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.564] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.564] GetProcessHeap () returned 0xbc0000 [0076.564] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.564] CloseHandle (hObject=0x260) returned 1 [0076.566] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0076.566] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0076.566] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.566] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0076.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.566] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-HotspotAuth%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-hotspotauth%4operational.evtx.nefilim")) returned 1 [0076.567] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.567] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0076.567] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b4bacf, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b4bacf, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", cAlternateFileName="MI6B25~1.EVT")) returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2=".") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="..") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="...") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="windows") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="rsa") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="ntldr") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="IO.SYS") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="boot.ini") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="desktop.ini") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="RECYCLER") returned -1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="bootmgr") returned 1 [0076.567] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="programdata") returned -1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="appdata") returned 1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="program files") returned -1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="program files (x86)") returned -1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="microsoft") returned 1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="sophos") returned -1 [0076.568] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.568] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.568] PathFindExtensionW (pszPath="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx") returned=".evtx" [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.568] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.568] lstrcmpiW (lpString1="Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.568] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.568] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.568] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.568] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0076.569] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.569] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0076.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0076.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0076.569] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.569] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.570] GetTickCount () returned 0x1154746 [0076.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.570] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.570] SetLastError (dwErrCode=0x0) [0076.570] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.571] GetLastError () returned 0x0 [0076.571] GetLastError () returned 0x0 [0076.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.571] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.571] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.571] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28a1e707, dwHighDateTime=0x1d5f971)) [0076.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.572] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.572] GetProcessHeap () returned 0xbc0000 [0076.572] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.572] GetSystemDefaultLangID () returned 0xbd0409 [0076.572] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.572] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.577] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.578] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.578] GetProcessHeap () returned 0xbc0000 [0076.578] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.578] CloseHandle (hObject=0x260) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0076.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.580] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-hyper-v-guest-drivers%4admin.evtx.nefilim")) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.580] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb66288f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb66288f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-International%4Operational.evtx", cAlternateFileName="MI854A~1.EVT")) returned 1 [0076.580] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2=".") returned 1 [0076.580] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="..") returned 1 [0076.580] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="...") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="windows") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="rsa") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="ntldr") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="programdata") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="appdata") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="program files") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="microsoft") returned 1 [0076.581] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="sophos") returned -1 [0076.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.581] PathFindExtensionW (pszPath="Microsoft-Windows-International%4Operational.evtx") returned=".evtx" [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.581] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.582] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.582] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.582] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.582] lstrcmpiW (lpString1="Microsoft-Windows-International%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.582] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.633] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0076.633] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.633] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0076.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0076.634] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0076.634] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.635] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.636] GetTickCount () returned 0x1154785 [0076.636] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.636] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.636] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.636] SetLastError (dwErrCode=0x0) [0076.636] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.637] GetLastError () returned 0x0 [0076.637] GetLastError () returned 0x0 [0076.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.637] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.638] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28ab6f92, dwHighDateTime=0x1d5f971)) [0076.638] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.638] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.638] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.638] GetProcessHeap () returned 0xbc0000 [0076.638] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.638] GetSystemDefaultLangID () returned 0xbd0409 [0076.638] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.638] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.643] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.643] GetProcessHeap () returned 0xbc0000 [0076.643] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.643] CloseHandle (hObject=0x260) returned 1 [0076.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0076.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0076.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0076.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0076.645] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.645] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-International%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-international%4operational.evtx.nefilim")) returned 1 [0076.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.646] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x506ad1ac, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x506ad1ac, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-Boot%4Operational.evtx", cAlternateFileName="MI32CE~1.EVT")) returned 1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2=".") returned 1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="..") returned 1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="...") returned 1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="windows") returned -1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="rsa") returned -1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="ntldr") returned -1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.646] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="IO.SYS") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="boot.ini") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="desktop.ini") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="RECYCLER") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="bootmgr") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="programdata") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="appdata") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="program files") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="program files (x86)") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="microsoft") returned 1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="sophos") returned -1 [0076.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0076.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.647] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Boot%4Operational.evtx") returned=".evtx" [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.647] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.647] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Boot%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0076.648] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.648] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0076.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.648] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0076.648] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0076.648] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.649] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.650] GetTickCount () returned 0x1154794 [0076.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.650] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.650] SetLastError (dwErrCode=0x0) [0076.650] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.651] GetLastError () returned 0x0 [0076.651] GetLastError () returned 0x0 [0076.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.651] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28adf311, dwHighDateTime=0x1d5f971)) [0076.652] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.652] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.652] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.652] GetProcessHeap () returned 0xbc0000 [0076.652] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.652] GetSystemDefaultLangID () returned 0xbd0409 [0076.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.652] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.657] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.657] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.657] GetProcessHeap () returned 0xbc0000 [0076.657] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.657] CloseHandle (hObject=0x260) returned 1 [0076.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0076.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0076.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0076.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.659] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0076.659] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Boot%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-boot%4operational.evtx.nefilim")) returned 1 [0076.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.660] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ca2fbd, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ca2fbd, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", cAlternateFileName="MIA934~1.EVT")) returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2=".") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="..") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="...") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="windows") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="rsa") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="ntldr") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="IO.SYS") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="boot.ini") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="desktop.ini") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="RECYCLER") returned -1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="bootmgr") returned 1 [0076.660] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="programdata") returned -1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="appdata") returned 1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="program files") returned -1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="program files (x86)") returned -1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="microsoft") returned 1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="sophos") returned -1 [0076.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.661] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx") returned=".evtx" [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.661] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.661] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-EventTracing%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.661] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.661] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0076.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.661] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0076.662] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0076.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.662] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.662] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.663] GetTickCount () returned 0x11547a4 [0076.663] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.663] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.663] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.663] SetLastError (dwErrCode=0x0) [0076.663] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.664] GetLastError () returned 0x0 [0076.664] GetLastError () returned 0x0 [0076.664] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.664] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28b035bb, dwHighDateTime=0x1d5f971)) [0076.665] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.665] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.665] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.665] GetProcessHeap () returned 0xbc0000 [0076.665] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.666] GetSystemDefaultLangID () returned 0xbd0409 [0076.666] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.666] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0076.725] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.725] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0076.726] GetProcessHeap () returned 0xbc0000 [0076.726] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0076.726] CloseHandle (hObject=0x260) returned 1 [0076.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0076.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0076.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0076.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.729] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.729] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-eventtracing%4admin.evtx.nefilim")) returned 1 [0076.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.730] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5071f8b0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5071f8b0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", cAlternateFileName="MIB32D~1.EVT")) returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2=".") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="..") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="...") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="windows") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="rsa") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="NTDETECT.COM") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="ntldr") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="MSDOS.SYS") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="IO.SYS") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="boot.ini") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="ntuser.dat") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="desktop.ini") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="CONFIG.SYS") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="RECYCLER") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="bootmgr") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="programdata") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="appdata") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="program files") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="program files (x86)") returned -1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="microsoft") returned 1 [0076.730] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="sophos") returned -1 [0076.730] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0076.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.730] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-PnP%4Configuration.evtx") returned=".evtx" [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.731] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.731] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-PnP%4Configuration.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0076.731] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.731] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0076.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0076.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0076.731] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0076.731] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0076.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0076.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0076.731] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.733] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.734] GetTickCount () returned 0x11547e3 [0076.734] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.734] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.734] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.734] SetLastError (dwErrCode=0x0) [0076.734] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.735] GetLastError () returned 0x0 [0076.735] GetLastError () returned 0x0 [0076.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.735] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.735] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.735] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28b9bebe, dwHighDateTime=0x1d5f971)) [0076.735] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.735] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.735] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.735] GetProcessHeap () returned 0xbc0000 [0076.735] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2ad8020 [0076.739] GetSystemDefaultLangID () returned 0xbd0409 [0076.739] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.739] ReadFile (in: hFile=0x260, lpBuffer=0x2ad8020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ad8020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0076.947] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.947] WriteFile (in: hFile=0x260, lpBuffer=0x2ad8020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ad8020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0076.951] GetProcessHeap () returned 0xbc0000 [0076.951] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ad8020 | out: hHeap=0xbc0000) returned 1 [0076.957] CloseHandle (hObject=0x260) returned 1 [0076.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0076.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0076.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0076.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0076.976] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0076.976] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-pnp%4configuration.evtx.nefilim")) returned 1 [0076.977] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0076.977] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0076.977] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc8ebf6d7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc8ebf6d7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", cAlternateFileName="MICA77~1.EVT")) returned 1 [0076.977] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2=".") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="..") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="...") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="windows") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="rsa") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="ntldr") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="IO.SYS") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="boot.ini") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="ntuser.dat") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="desktop.ini") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="RECYCLER") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="bootmgr") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="programdata") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="appdata") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="program files") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="program files (x86)") returned -1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="microsoft") returned 1 [0076.978] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="sophos") returned -1 [0076.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0076.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0076.978] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx") returned=".evtx" [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0076.978] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0076.979] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0076.979] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0076.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0076.979] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0076.979] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0076.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0076.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0076.979] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0076.979] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0076.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0076.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0076.979] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0076.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0076.982] GetTickCount () returned 0x11548dd [0076.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0076.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.982] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.982] SetLastError (dwErrCode=0x0) [0076.982] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.983] GetLastError () returned 0x0 [0076.983] GetLastError () returned 0x0 [0076.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.983] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0076.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.983] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28e0464f, dwHighDateTime=0x1d5f971)) [0076.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0076.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0076.983] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0076.983] GetProcessHeap () returned 0xbc0000 [0076.983] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0076.983] GetSystemDefaultLangID () returned 0xbd0409 [0076.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0076.983] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.030] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.031] GetProcessHeap () returned 0xbc0000 [0077.031] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.031] CloseHandle (hObject=0x260) returned 1 [0077.033] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0077.033] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.033] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.033] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.033] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0077.033] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-power%4thermal-operational.evtx.nefilim")) returned 1 [0077.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.034] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5090f75d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5090f75d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", cAlternateFileName="MI1E8D~1.EVT")) returned 1 [0077.034] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2=".") returned 1 [0077.034] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="..") returned 1 [0077.034] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="...") returned 1 [0077.034] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="windows") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="rsa") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="ntldr") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="programdata") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="appdata") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="program files") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="microsoft") returned 1 [0077.035] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="sophos") returned -1 [0077.035] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.035] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.035] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx") returned=".evtx" [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.035] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.036] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.036] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0077.036] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.036] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.036] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.036] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0077.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0077.036] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.037] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.039] GetTickCount () returned 0x115491b [0077.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.039] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.039] SetLastError (dwErrCode=0x0) [0077.039] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.040] GetLastError () returned 0x0 [0077.040] GetLastError () returned 0x0 [0077.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.040] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.040] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28e96e0f, dwHighDateTime=0x1d5f971)) [0077.040] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.040] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.040] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.040] GetProcessHeap () returned 0xbc0000 [0077.040] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.040] GetSystemDefaultLangID () returned 0xbd0409 [0077.040] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.040] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.045] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.045] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.045] GetProcessHeap () returned 0xbc0000 [0077.045] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.045] CloseHandle (hObject=0x260) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0077.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0077.048] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-shimengine%4operational.evtx.nefilim")) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.048] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd75102f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd75102f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", cAlternateFileName="MID067~1.EVT")) returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2=".") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="..") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="...") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="windows") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="rsa") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="ntldr") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="programdata") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="appdata") returned 1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="program files") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.049] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="microsoft") returned 1 [0077.050] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="sophos") returned -1 [0077.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0077.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.050] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx") returned=".evtx" [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.050] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.050] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.050] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.050] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0077.053] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.053] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0077.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0077.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0077.053] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.053] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.054] GetTickCount () returned 0x115492b [0077.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.054] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.054] SetLastError (dwErrCode=0x0) [0077.054] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.056] GetLastError () returned 0x0 [0077.056] GetLastError () returned 0x0 [0077.056] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.056] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.056] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.056] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28ebd135, dwHighDateTime=0x1d5f971)) [0077.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.056] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.056] GetProcessHeap () returned 0xbc0000 [0077.056] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.057] GetSystemDefaultLangID () returned 0xbd0409 [0077.057] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.057] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.063] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.063] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.064] GetProcessHeap () returned 0xbc0000 [0077.064] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.064] CloseHandle (hObject=0x260) returned 1 [0077.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0077.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0077.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.066] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0077.108] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-storemgr%4operational.evtx.nefilim")) returned 1 [0077.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.109] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", cAlternateFileName="MIDE4D~1.EVT")) returned 1 [0077.109] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2=".") returned 1 [0077.109] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="..") returned 1 [0077.109] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="...") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="windows") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="rsa") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="NTDETECT.COM") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="ntldr") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="MSDOS.SYS") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="IO.SYS") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="boot.ini") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="ntuser.dat") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="desktop.ini") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="CONFIG.SYS") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="RECYCLER") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="bootmgr") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="programdata") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="appdata") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="program files") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="program files (x86)") returned -1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="microsoft") returned 1 [0077.110] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="sophos") returned -1 [0077.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.110] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.110] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Errors.evtx") returned=".evtx" [0077.110] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.110] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.110] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.111] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.111] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Errors.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.111] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.112] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.112] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.112] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0077.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0077.112] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.114] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.117] GetTickCount () returned 0x1154969 [0077.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.117] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.117] SetLastError (dwErrCode=0x0) [0077.117] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.118] GetLastError () returned 0x0 [0077.118] GetLastError () returned 0x0 [0077.118] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.118] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.118] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.118] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28f558d2, dwHighDateTime=0x1d5f971)) [0077.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.118] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.118] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.119] GetProcessHeap () returned 0xbc0000 [0077.119] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.120] GetSystemDefaultLangID () returned 0xbd0409 [0077.120] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.120] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.126] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.126] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.126] GetProcessHeap () returned 0xbc0000 [0077.126] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.126] CloseHandle (hObject=0x260) returned 1 [0077.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0077.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0077.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0077.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0077.129] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4errors.evtx.nefilim")) returned 1 [0077.130] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.130] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.130] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50be4414, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50be4414, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", cAlternateFileName="MI36C5~1.EVT")) returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2=".") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="..") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="...") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="windows") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="rsa") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="ntldr") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="programdata") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="appdata") returned 1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="program files") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.130] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="microsoft") returned 1 [0077.131] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="sophos") returned -1 [0077.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.131] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.131] PathFindExtensionW (pszPath="Microsoft-Windows-Kernel-WHEA%4Operational.evtx") returned=".evtx" [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.131] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.131] lstrcmpiW (lpString1="Microsoft-Windows-Kernel-WHEA%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.131] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.135] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0077.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.135] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0077.135] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0077.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0077.135] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.136] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.138] GetTickCount () returned 0x1154979 [0077.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.138] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.138] SetLastError (dwErrCode=0x0) [0077.138] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.139] GetLastError () returned 0x0 [0077.139] GetLastError () returned 0x0 [0077.139] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.139] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.139] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.139] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28f7bb7e, dwHighDateTime=0x1d5f971)) [0077.139] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.139] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.139] GetProcessHeap () returned 0xbc0000 [0077.140] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.140] GetSystemDefaultLangID () returned 0xbd0409 [0077.140] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.140] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.179] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.179] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.179] GetProcessHeap () returned 0xbc0000 [0077.179] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.179] CloseHandle (hObject=0x260) returned 1 [0077.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0077.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df40 | out: hHeap=0x2680000) returned 1 [0077.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0077.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.181] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-kernel-whea%4operational.evtx.nefilim")) returned 1 [0077.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.182] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59547c37, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x59547c37, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Known Folders API Service.evtx", cAlternateFileName="MI86D6~1.EVT")) returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2=".") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="..") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="...") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="windows") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="rsa") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="NTDETECT.COM") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="ntldr") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="MSDOS.SYS") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="IO.SYS") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="boot.ini") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="ntuser.dat") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="desktop.ini") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="CONFIG.SYS") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="RECYCLER") returned -1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.182] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="bootmgr") returned 1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="programdata") returned -1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="appdata") returned 1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="program files") returned -1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="program files (x86)") returned -1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="microsoft") returned 1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="sophos") returned -1 [0077.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.183] PathFindExtensionW (pszPath="Microsoft-Windows-Known Folders API Service.evtx") returned=".evtx" [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.183] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.183] lstrcmpiW (lpString1="Microsoft-Windows-Known Folders API Service.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0077.183] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.183] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0077.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0077.184] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0077.184] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0077.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0077.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0077.184] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.186] GetTickCount () returned 0x11549a8 [0077.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.186] SetLastError (dwErrCode=0x0) [0077.186] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.187] GetLastError () returned 0x0 [0077.187] GetLastError () returned 0x0 [0077.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.187] WriteFile (in: hFile=0x260, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.187] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x28fee355, dwHighDateTime=0x1d5f971)) [0077.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.187] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.187] GetProcessHeap () returned 0xbc0000 [0077.188] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.188] GetSystemDefaultLangID () returned 0xbd0409 [0077.188] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.188] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.192] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.192] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.193] GetProcessHeap () returned 0xbc0000 [0077.193] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.193] CloseHandle (hObject=0x260) returned 1 [0077.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0077.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0077.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0077.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0077.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0077.195] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Known Folders API Service.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-known folders api service.evtx.nefilim")) returned 1 [0077.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.195] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbb7386e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbb7386e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-LiveId%4Operational.evtx", cAlternateFileName="MI4C58~1.EVT")) returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2=".") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="..") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="...") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="windows") returned -1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="rsa") returned -1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="ntldr") returned -1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.195] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="programdata") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="appdata") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="program files") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="microsoft") returned 1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="sophos") returned -1 [0077.196] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.196] PathFindExtensionW (pszPath="Microsoft-Windows-LiveId%4Operational.evtx") returned=".evtx" [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.196] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.196] lstrcmpiW (lpString1="Microsoft-Windows-LiveId%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.196] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.196] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.197] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0077.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0077.197] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0077.197] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0077.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0077.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0077.197] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.198] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.199] GetTickCount () returned 0x11549b7 [0077.199] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.199] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.199] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.199] SetLastError (dwErrCode=0x0) [0077.199] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.200] GetLastError () returned 0x0 [0077.200] GetLastError () returned 0x0 [0077.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.200] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.200] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.201] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29014542, dwHighDateTime=0x1d5f971)) [0077.201] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.201] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.201] GetProcessHeap () returned 0xbc0000 [0077.201] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.201] GetSystemDefaultLangID () returned 0xbd0409 [0077.201] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.201] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.205] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.205] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.206] GetProcessHeap () returned 0xbc0000 [0077.206] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.206] CloseHandle (hObject=0x260) returned 1 [0077.209] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0077.209] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0077.209] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0077.209] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.209] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.210] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-LiveId%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-liveid%4operational.evtx.nefilim")) returned 1 [0077.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.210] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93d06f0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93d06f0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1df92a8, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-MUI%4Admin.evtx", cAlternateFileName="MI30D3~1.EVT")) returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2=".") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="..") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="...") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="windows") returned -1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="rsa") returned -1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="ntldr") returned -1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="IO.SYS") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="boot.ini") returned 1 [0077.210] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="desktop.ini") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="RECYCLER") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="bootmgr") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="programdata") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="appdata") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="program files") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="program files (x86)") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="microsoft") returned 1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="sophos") returned -1 [0077.211] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680530 [0077.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.211] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Admin.evtx") returned=".evtx" [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.211] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.211] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.211] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0077.211] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.212] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0077.212] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.212] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0077.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0077.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0077.212] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.212] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.213] GetTickCount () returned 0x11549c7 [0077.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.213] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.213] SetLastError (dwErrCode=0x0) [0077.213] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.215] GetLastError () returned 0x0 [0077.215] GetLastError () returned 0x0 [0077.215] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.215] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.215] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.215] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29040438, dwHighDateTime=0x1d5f971)) [0077.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.215] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.215] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.215] GetProcessHeap () returned 0xbc0000 [0077.215] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.216] GetSystemDefaultLangID () returned 0xbd0409 [0077.216] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.216] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.260] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.261] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.261] GetProcessHeap () returned 0xbc0000 [0077.261] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.261] CloseHandle (hObject=0x260) returned 1 [0077.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0077.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0077.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0077.263] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.263] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-mui%4admin.evtx.nefilim")) returned 1 [0077.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.264] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc93aa49b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc93aa49b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-MUI%4Operational.evtx", cAlternateFileName="MI6F01~1.EVT")) returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2=".") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="..") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="...") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="windows") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="rsa") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="ntldr") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="programdata") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="appdata") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="program files") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="microsoft") returned 1 [0077.264] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="sophos") returned -1 [0077.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0077.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.264] PathFindExtensionW (pszPath="Microsoft-Windows-MUI%4Operational.evtx") returned=".evtx" [0077.264] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.264] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.264] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.264] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.265] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.265] lstrcmpiW (lpString1="Microsoft-Windows-MUI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0077.265] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.265] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0077.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.265] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0077.265] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0077.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0077.265] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.266] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.268] GetTickCount () returned 0x11549f6 [0077.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.268] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.268] SetLastError (dwErrCode=0x0) [0077.269] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.270] GetLastError () returned 0x0 [0077.270] GetLastError () returned 0x0 [0077.270] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.270] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.270] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.270] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x290d331f, dwHighDateTime=0x1d5f971)) [0077.270] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.270] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.270] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.270] GetProcessHeap () returned 0xbc0000 [0077.270] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.271] GetSystemDefaultLangID () returned 0xbd0409 [0077.271] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.271] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.275] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.276] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.276] GetProcessHeap () returned 0xbc0000 [0077.276] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.276] CloseHandle (hObject=0x260) returned 1 [0077.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0077.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0077.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.278] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-MUI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-mui%4operational.evtx.nefilim")) returned 1 [0077.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0077.281] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9d33b19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9d33b19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-NCSI%4Operational.evtx", cAlternateFileName="MI483C~1.EVT")) returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2=".") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="..") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="...") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="windows") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="rsa") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="ntldr") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="programdata") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="appdata") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="program files") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="microsoft") returned 1 [0077.281] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="sophos") returned -1 [0077.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680520 [0077.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.281] PathFindExtensionW (pszPath="Microsoft-Windows-NCSI%4Operational.evtx") returned=".evtx" [0077.281] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.281] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.281] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.281] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.281] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.282] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.282] lstrcmpiW (lpString1="Microsoft-Windows-NCSI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.282] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.282] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0077.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.282] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0077.282] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0077.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0077.282] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.286] GetTickCount () returned 0x1154a15 [0077.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.286] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.286] SetLastError (dwErrCode=0x0) [0077.286] WriteFile (in: hFile=0x260, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.287] GetLastError () returned 0x0 [0077.287] GetLastError () returned 0x0 [0077.287] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.287] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.287] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.287] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x290f953e, dwHighDateTime=0x1d5f971)) [0077.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.287] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.287] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.287] GetProcessHeap () returned 0xbc0000 [0077.287] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.288] GetSystemDefaultLangID () returned 0xbd0409 [0077.288] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.288] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.293] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.293] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.293] GetProcessHeap () returned 0xbc0000 [0077.293] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.293] CloseHandle (hObject=0x260) returned 1 [0077.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0077.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0077.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0077.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0077.355] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NCSI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ncsi%4operational.evtx.nefilim")) returned 1 [0077.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.355] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbcf0ff2, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcbcf0ff2, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-NetworkProfile%4Operational.evtx", cAlternateFileName="MIFC66~1.EVT")) returned 1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2=".") returned 1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="..") returned 1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="...") returned 1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="windows") returned -1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="rsa") returned -1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="ntldr") returned -1 [0077.355] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="programdata") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="appdata") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="program files") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="microsoft") returned 1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="sophos") returned -1 [0077.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.356] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0077.356] PathFindExtensionW (pszPath="Microsoft-Windows-NetworkProfile%4Operational.evtx") returned=".evtx" [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.356] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.356] lstrcmpiW (lpString1="Microsoft-Windows-NetworkProfile%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0077.357] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.357] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0077.357] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.357] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0077.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0077.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0077.357] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.358] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.360] GetTickCount () returned 0x1154a54 [0077.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.360] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.360] SetLastError (dwErrCode=0x0) [0077.360] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.361] GetLastError () returned 0x0 [0077.361] GetLastError () returned 0x0 [0077.361] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.361] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.361] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.361] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29191cdb, dwHighDateTime=0x1d5f971)) [0077.361] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.361] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.361] GetProcessHeap () returned 0xbc0000 [0077.362] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.362] GetSystemDefaultLangID () returned 0xbd0409 [0077.362] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.362] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.371] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.371] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.372] GetProcessHeap () returned 0xbc0000 [0077.372] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.372] CloseHandle (hObject=0x260) returned 1 [0077.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0077.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0077.375] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-NetworkProfile%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-networkprofile%4operational.evtx.nefilim")) returned 1 [0077.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.376] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ab3154, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ab3154, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Ntfs%4Operational.evtx", cAlternateFileName="MI6E98~1.EVT")) returned 1 [0077.376] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2=".") returned 1 [0077.376] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="..") returned 1 [0077.376] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="...") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="windows") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="rsa") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="ntldr") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="programdata") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="appdata") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="program files") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="microsoft") returned 1 [0077.377] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="sophos") returned -1 [0077.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.378] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.378] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4Operational.evtx") returned=".evtx" [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.378] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.378] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.379] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.380] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0077.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.380] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0077.380] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0077.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0077.381] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.383] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.385] GetTickCount () returned 0x1154a73 [0077.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.385] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.385] SetLastError (dwErrCode=0x0) [0077.385] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.386] GetLastError () returned 0x0 [0077.386] GetLastError () returned 0x0 [0077.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.387] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.387] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x291de07d, dwHighDateTime=0x1d5f971)) [0077.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.387] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.387] GetProcessHeap () returned 0xbc0000 [0077.387] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.387] GetSystemDefaultLangID () returned 0xbd0409 [0077.387] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.387] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.564] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.564] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.564] GetProcessHeap () returned 0xbc0000 [0077.564] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.565] CloseHandle (hObject=0x260) returned 1 [0077.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0077.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0077.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0077.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.569] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4operational.evtx.nefilim")) returned 1 [0077.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.570] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50ad9393, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50ad9393, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Ntfs%4WHC.evtx", cAlternateFileName="MIB2AC~1.EVT")) returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2=".") returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="..") returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="...") returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="windows") returned -1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="rsa") returned -1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="NTDETECT.COM") returned -1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="ntldr") returned -1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="MSDOS.SYS") returned -1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="IO.SYS") returned 1 [0077.570] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="boot.ini") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="ntuser.dat") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="desktop.ini") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="CONFIG.SYS") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="RECYCLER") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="bootmgr") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="programdata") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="appdata") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="program files") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="program files (x86)") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="microsoft") returned 1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="sophos") returned -1 [0077.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680530 [0077.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.571] PathFindExtensionW (pszPath="Microsoft-Windows-Ntfs%4WHC.evtx") returned=".evtx" [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.571] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.571] lstrcmpiW (lpString1="Microsoft-Windows-Ntfs%4WHC.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0077.571] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.572] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0077.572] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.572] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0077.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0077.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0077.572] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.573] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.574] GetTickCount () returned 0x1154b2e [0077.574] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.574] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.574] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.574] SetLastError (dwErrCode=0x0) [0077.574] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.575] GetLastError () returned 0x0 [0077.575] GetLastError () returned 0x0 [0077.575] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.576] WriteFile (in: hFile=0x260, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.576] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.576] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x293a7ca2, dwHighDateTime=0x1d5f971)) [0077.576] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.576] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.576] GetProcessHeap () returned 0xbc0000 [0077.576] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.576] GetSystemDefaultLangID () returned 0xbd0409 [0077.576] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.576] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.589] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.589] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.589] GetProcessHeap () returned 0xbc0000 [0077.589] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.589] CloseHandle (hObject=0x260) returned 1 [0077.591] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0077.591] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0077.591] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.591] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0077.591] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.591] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Ntfs%4WHC.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-ntfs%4whc.evtx.nefilim")) returned 1 [0077.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.592] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca5fe5cb, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xca5fe5cb, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", cAlternateFileName="MI6AFE~1.EVT")) returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2=".") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="..") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="...") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="windows") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="rsa") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="NTDETECT.COM") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="ntldr") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="MSDOS.SYS") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="IO.SYS") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="boot.ini") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="ntuser.dat") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="desktop.ini") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="CONFIG.SYS") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="RECYCLER") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="bootmgr") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="programdata") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="appdata") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="program files") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="program files (x86)") returned -1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="microsoft") returned 1 [0077.592] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="sophos") returned -1 [0077.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0077.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.592] PathFindExtensionW (pszPath="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx") returned=".evtx" [0077.592] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.593] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.593] lstrcmpiW (lpString1="Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0077.593] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.594] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.594] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.594] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0077.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0077.594] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.594] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.595] GetTickCount () returned 0x1154b3e [0077.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0077.595] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0077.596] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.596] SetLastError (dwErrCode=0x0) [0077.596] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.597] GetLastError () returned 0x0 [0077.597] GetLastError () returned 0x0 [0077.597] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.597] WriteFile (in: hFile=0x260, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.597] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.597] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x293cdfcb, dwHighDateTime=0x1d5f971)) [0077.597] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.597] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.597] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.597] GetProcessHeap () returned 0xbc0000 [0077.597] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.598] GetSystemDefaultLangID () returned 0xbd0409 [0077.598] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.598] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.603] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.603] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.603] GetProcessHeap () returned 0xbc0000 [0077.603] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.603] CloseHandle (hObject=0x260) returned 1 [0077.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0077.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0077.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0077.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0077.605] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-program-compatibility-assistant%4compatafterupgrade.evtx.nefilim")) returned 1 [0077.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0077.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.606] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe24cdef0, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xe24cdef0, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-ReadyBoost%4Operational.evtx", cAlternateFileName="MIB9D2~1.EVT")) returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2=".") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="..") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="...") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="windows") returned -1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="rsa") returned -1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="ntldr") returned -1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.606] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="programdata") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="appdata") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="program files") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="microsoft") returned 1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="sophos") returned -1 [0077.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be48 [0077.607] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.607] PathFindExtensionW (pszPath="Microsoft-Windows-ReadyBoost%4Operational.evtx") returned=".evtx" [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.607] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.607] lstrcmpiW (lpString1="Microsoft-Windows-ReadyBoost%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.607] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.608] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0077.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.608] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0077.608] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0077.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0077.608] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.609] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.610] GetTickCount () returned 0x1154b4e [0077.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.610] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.610] SetLastError (dwErrCode=0x0) [0077.610] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.611] GetLastError () returned 0x0 [0077.611] GetLastError () returned 0x0 [0077.611] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.611] WriteFile (in: hFile=0x260, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.612] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x293f41c5, dwHighDateTime=0x1d5f971)) [0077.612] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.612] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.612] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.612] GetProcessHeap () returned 0xbc0000 [0077.612] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.612] GetSystemDefaultLangID () returned 0xbd0409 [0077.612] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.612] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.642] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.642] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.643] GetProcessHeap () returned 0xbc0000 [0077.643] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.643] CloseHandle (hObject=0x260) returned 1 [0077.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0077.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0077.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0077.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.645] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0077.645] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-ReadyBoost%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-readyboost%4operational.evtx.nefilim")) returned 1 [0077.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.646] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd125335f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd125335f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", cAlternateFileName="MI7A67~1.EVT")) returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2=".") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="..") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="...") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="windows") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="rsa") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="ntldr") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="programdata") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="appdata") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="program files") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="microsoft") returned 1 [0077.646] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="sophos") returned -1 [0077.646] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0077.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be48 | out: hHeap=0x2680000) returned 1 [0077.647] PathFindExtensionW (pszPath="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx") returned=".evtx" [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.647] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.647] lstrcmpiW (lpString1="Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0077.647] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.647] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0077.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.647] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0077.647] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0077.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0077.648] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.648] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.649] GetTickCount () returned 0x1154b7c [0077.649] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680560 [0077.649] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0077.649] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.649] SetLastError (dwErrCode=0x0) [0077.649] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.650] GetLastError () returned 0x0 [0077.650] GetLastError () returned 0x0 [0077.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.650] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.650] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.650] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x294680c9, dwHighDateTime=0x1d5f971)) [0077.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0077.650] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0077.650] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.650] GetProcessHeap () returned 0xbc0000 [0077.650] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.651] GetSystemDefaultLangID () returned 0xbd0409 [0077.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.651] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.656] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.656] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.656] GetProcessHeap () returned 0xbc0000 [0077.656] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.656] CloseHandle (hObject=0x260) returned 1 [0077.658] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0077.658] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0077.658] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0077.658] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.658] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0077.658] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-resource-exhaustion-detector%4operational.evtx.nefilim")) returned 1 [0077.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0077.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.659] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SettingSync%4Debug.evtx", cAlternateFileName="MI3773~1.EVT")) returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2=".") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="..") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="...") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="windows") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="rsa") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="NTDETECT.COM") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="ntldr") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="MSDOS.SYS") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="IO.SYS") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="boot.ini") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="ntuser.dat") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="desktop.ini") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="CONFIG.SYS") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="RECYCLER") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="bootmgr") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="programdata") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="appdata") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="program files") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="program files (x86)") returned -1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="microsoft") returned 1 [0077.659] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="sophos") returned -1 [0077.659] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be38 [0077.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.660] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Debug.evtx") returned=".evtx" [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.660] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.660] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Debug.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.660] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.660] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.661] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0077.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0077.661] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.661] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0077.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0077.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0077.662] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.663] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.664] GetTickCount () returned 0x1154b8c [0077.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.664] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.664] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.664] SetLastError (dwErrCode=0x0) [0077.664] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.665] GetLastError () returned 0x0 [0077.665] GetLastError () returned 0x0 [0077.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.665] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.665] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.665] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2948cc0a, dwHighDateTime=0x1d5f971)) [0077.665] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.665] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.665] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.665] GetProcessHeap () returned 0xbc0000 [0077.665] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2ce9020 [0077.668] GetSystemDefaultLangID () returned 0xbd0409 [0077.668] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.668] ReadFile (in: hFile=0x260, lpBuffer=0x2ce9020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ce9020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0077.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.825] WriteFile (in: hFile=0x260, lpBuffer=0x2ce9020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ce9020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0077.828] GetProcessHeap () returned 0xbc0000 [0077.828] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ce9020 | out: hHeap=0xbc0000) returned 1 [0077.833] CloseHandle (hObject=0x260) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.897] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0077.897] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Debug.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4debug.evtx.nefilim")) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.897] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd1fe2941, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd1fe2941, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SettingSync%4Operational.evtx", cAlternateFileName="MI36AA~1.EVT")) returned 1 [0077.897] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2=".") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="..") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="...") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="windows") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="rsa") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="ntldr") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="programdata") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="appdata") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="program files") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="microsoft") returned 1 [0077.898] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="sophos") returned -1 [0077.898] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0077.898] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be38 | out: hHeap=0x2680000) returned 1 [0077.898] PathFindExtensionW (pszPath="Microsoft-Windows-SettingSync%4Operational.evtx") returned=".evtx" [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.898] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.899] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.899] lstrcmpiW (lpString1="Microsoft-Windows-SettingSync%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.899] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.899] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0077.899] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.899] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0077.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0077.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0077.899] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.899] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.900] GetTickCount () returned 0x1154c76 [0077.900] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.900] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.900] SetLastError (dwErrCode=0x0) [0077.900] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.901] GetLastError () returned 0x0 [0077.901] GetLastError () returned 0x0 [0077.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.901] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.901] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x296c8f11, dwHighDateTime=0x1d5f971)) [0077.901] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.901] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.901] GetProcessHeap () returned 0xbc0000 [0077.901] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.901] GetSystemDefaultLangID () returned 0xbd0409 [0077.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.901] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.906] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.906] GetProcessHeap () returned 0xbc0000 [0077.906] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.906] CloseHandle (hObject=0x260) returned 1 [0077.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0077.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0077.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0077.909] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0077.909] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SettingSync%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-settingsync%4operational.evtx.nefilim")) returned 1 [0077.910] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0077.910] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.910] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", cAlternateFileName="MI2E2E~1.EVT")) returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2=".") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="..") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="...") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="windows") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="rsa") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="NTDETECT.COM") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="ntldr") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="MSDOS.SYS") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="IO.SYS") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="boot.ini") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="ntuser.dat") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="desktop.ini") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="CONFIG.SYS") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="RECYCLER") returned -1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="bootmgr") returned 1 [0077.910] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="programdata") returned -1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="appdata") returned 1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="program files") returned -1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="program files (x86)") returned -1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="microsoft") returned 1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="sophos") returned -1 [0077.911] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.911] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.911] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4ActionCenter.evtx") returned=".evtx" [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.911] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.911] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4ActionCenter.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.911] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.911] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.912] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.912] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.912] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0077.912] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.912] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0077.912] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0077.912] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0077.912] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.913] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.914] GetTickCount () returned 0x1154c86 [0077.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.914] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.914] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.914] SetLastError (dwErrCode=0x0) [0077.914] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.915] GetLastError () returned 0x0 [0077.915] GetLastError () returned 0x0 [0077.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.915] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.915] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.915] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x296ef1ca, dwHighDateTime=0x1d5f971)) [0077.915] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.915] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.916] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.916] GetProcessHeap () returned 0xbc0000 [0077.916] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.916] GetSystemDefaultLangID () returned 0xbd0409 [0077.916] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.916] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.920] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.920] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.921] GetProcessHeap () returned 0xbc0000 [0077.921] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.921] CloseHandle (hObject=0x260) returned 1 [0077.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0077.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0077.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0077.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.924] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4actioncenter.evtx.nefilim")) returned 1 [0077.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.924] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3852b12, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd3852b12, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Shell-Core%4Operational.evtx", cAlternateFileName="MI1C6C~1.EVT")) returned 1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2=".") returned 1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="..") returned 1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="...") returned 1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="windows") returned -1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="rsa") returned -1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="ntldr") returned -1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.924] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="programdata") returned -1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="appdata") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="program files") returned -1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="microsoft") returned 1 [0077.925] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="sophos") returned -1 [0077.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.925] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.925] PathFindExtensionW (pszPath="Microsoft-Windows-Shell-Core%4Operational.evtx") returned=".evtx" [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.925] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.926] lstrcmpiW (lpString1="Microsoft-Windows-Shell-Core%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.926] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.926] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0077.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0077.926] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0077.926] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0077.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0077.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0077.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.928] GetTickCount () returned 0x1154c96 [0077.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.928] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.928] SetLastError (dwErrCode=0x0) [0077.928] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.929] GetLastError () returned 0x0 [0077.929] GetLastError () returned 0x0 [0077.929] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.929] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.929] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.929] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x297153be, dwHighDateTime=0x1d5f971)) [0077.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.929] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.929] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.929] GetProcessHeap () returned 0xbc0000 [0077.929] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.930] GetSystemDefaultLangID () returned 0xbd0409 [0077.930] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.930] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.976] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.976] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.977] GetProcessHeap () returned 0xbc0000 [0077.977] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.977] CloseHandle (hObject=0x260) returned 1 [0077.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0077.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0077.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0077.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0077.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.979] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Shell-Core%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-shell-core%4operational.evtx.nefilim")) returned 1 [0077.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.980] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SmbClient%4Connectivity.evtx", cAlternateFileName="MI00FB~1.EVT")) returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2=".") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="..") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="...") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="windows") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="rsa") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="NTDETECT.COM") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="ntldr") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="MSDOS.SYS") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="IO.SYS") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="boot.ini") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="ntuser.dat") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="desktop.ini") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="CONFIG.SYS") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="RECYCLER") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="bootmgr") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="programdata") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="appdata") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="program files") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="program files (x86)") returned -1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="microsoft") returned 1 [0077.980] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="sophos") returned -1 [0077.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.980] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Connectivity.evtx") returned=".evtx" [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.980] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.981] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.981] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Connectivity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.981] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.981] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0077.981] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.981] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0077.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0077.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0077.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.983] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.984] GetTickCount () returned 0x1154cc5 [0077.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.984] SetLastError (dwErrCode=0x0) [0077.984] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.985] GetLastError () returned 0x0 [0077.985] GetLastError () returned 0x0 [0077.985] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.985] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.985] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.985] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29787a61, dwHighDateTime=0x1d5f971)) [0077.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.985] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.985] GetProcessHeap () returned 0xbc0000 [0077.985] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.985] GetSystemDefaultLangID () returned 0xbd0409 [0077.985] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.985] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0077.990] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.990] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0077.990] GetProcessHeap () returned 0xbc0000 [0077.990] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0077.990] CloseHandle (hObject=0x260) returned 1 [0077.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0077.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0077.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0077.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0077.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0077.992] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Connectivity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4connectivity.evtx.nefilim")) returned 1 [0077.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0077.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0077.993] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97b042f, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97b042f, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBClient%4Operational.evtx", cAlternateFileName="MID8B0~1.EVT")) returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2=".") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="..") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="...") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="windows") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="rsa") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="ntldr") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="IO.SYS") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="boot.ini") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="desktop.ini") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="RECYCLER") returned -1 [0077.993] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="bootmgr") returned 1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="programdata") returned -1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="appdata") returned 1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="program files") returned -1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="program files (x86)") returned -1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="microsoft") returned 1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="sophos") returned -1 [0077.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0077.994] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0077.994] PathFindExtensionW (pszPath="Microsoft-Windows-SMBClient%4Operational.evtx") returned=".evtx" [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0077.994] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0077.994] lstrcmpiW (lpString1="Microsoft-Windows-SMBClient%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0077.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0077.994] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0077.995] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0077.995] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0077.995] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0077.995] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0077.995] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0077.995] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0077.995] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0077.995] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0077.996] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0077.998] GetTickCount () returned 0x1154cd4 [0077.998] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0077.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.998] SetLastError (dwErrCode=0x0) [0077.998] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.999] GetLastError () returned 0x0 [0077.999] GetLastError () returned 0x0 [0077.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.999] WriteFile (in: hFile=0x260, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0077.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.999] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x297adcd2, dwHighDateTime=0x1d5f971)) [0077.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0077.999] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0077.999] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0077.999] GetProcessHeap () returned 0xbc0000 [0077.999] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0077.999] GetSystemDefaultLangID () returned 0xbd0409 [0077.999] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0077.999] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.004] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.004] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.004] GetProcessHeap () returned 0xbc0000 [0078.004] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.004] CloseHandle (hObject=0x260) returned 1 [0078.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0078.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0078.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0078.007] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.007] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBClient%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4operational.evtx.nefilim")) returned 1 [0078.008] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.008] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.008] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc97d66c8, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc97d66c8, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SmbClient%4Security.evtx", cAlternateFileName="MI8CEE~1.EVT")) returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2=".") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="..") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="...") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="windows") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="rsa") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="NTDETECT.COM") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="ntldr") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="MSDOS.SYS") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="IO.SYS") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="boot.ini") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="ntuser.dat") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="desktop.ini") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="CONFIG.SYS") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="RECYCLER") returned -1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.008] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="bootmgr") returned 1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="programdata") returned -1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="appdata") returned 1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="program files") returned -1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="program files (x86)") returned -1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="microsoft") returned 1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="sophos") returned -1 [0078.009] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0078.009] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.009] PathFindExtensionW (pszPath="Microsoft-Windows-SmbClient%4Security.evtx") returned=".evtx" [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.009] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.009] lstrcmpiW (lpString1="Microsoft-Windows-SmbClient%4Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.009] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0078.009] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.057] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0078.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0078.057] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0078.057] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0078.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0078.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0078.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.059] GetTickCount () returned 0x1154d13 [0078.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.059] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.059] SetLastError (dwErrCode=0x0) [0078.059] WriteFile (in: hFile=0x260, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.060] GetLastError () returned 0x0 [0078.060] GetLastError () returned 0x0 [0078.060] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.060] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.060] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.060] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29846660, dwHighDateTime=0x1d5f971)) [0078.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.060] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.060] GetProcessHeap () returned 0xbc0000 [0078.060] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.061] GetSystemDefaultLangID () returned 0xbd0409 [0078.061] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.061] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.065] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.066] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.066] GetProcessHeap () returned 0xbc0000 [0078.066] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.066] CloseHandle (hObject=0x260) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0078.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.069] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SmbClient%4Security.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbclient%4security.evtx.nefilim")) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.069] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb1ea1c9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb1ea1c9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Audit.evtx", cAlternateFileName="MIE3AD~1.EVT")) returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2=".") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="..") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="...") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="windows") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="rsa") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="NTDETECT.COM") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="ntldr") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="MSDOS.SYS") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="IO.SYS") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="boot.ini") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="ntuser.dat") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="desktop.ini") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="CONFIG.SYS") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="RECYCLER") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="bootmgr") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="programdata") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="appdata") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="program files") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="program files (x86)") returned -1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="microsoft") returned 1 [0078.070] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="sophos") returned -1 [0078.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680530 [0078.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.071] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Audit.evtx") returned=".evtx" [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.071] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.071] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Audit.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0078.071] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.071] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0078.071] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.071] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0078.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0078.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0078.072] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.073] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.075] GetTickCount () returned 0x1154d22 [0078.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.075] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.075] SetLastError (dwErrCode=0x0) [0078.075] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.076] GetLastError () returned 0x0 [0078.076] GetLastError () returned 0x0 [0078.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.076] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.076] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.076] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2986c89a, dwHighDateTime=0x1d5f971)) [0078.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.076] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.076] GetProcessHeap () returned 0xbc0000 [0078.076] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.077] GetSystemDefaultLangID () returned 0xbd0409 [0078.077] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.077] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.082] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.082] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.083] GetProcessHeap () returned 0xbc0000 [0078.083] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.083] CloseHandle (hObject=0x260) returned 1 [0078.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0078.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0078.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0078.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0078.085] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Audit.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4audit.evtx.nefilim")) returned 1 [0078.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.085] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb19dd19, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb19dd19, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Connectivity.evtx", cAlternateFileName="MI8248~1.EVT")) returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2=".") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="..") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="...") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="windows") returned -1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="rsa") returned -1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="NTDETECT.COM") returned -1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="ntldr") returned -1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="MSDOS.SYS") returned -1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="IO.SYS") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="boot.ini") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.085] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="ntuser.dat") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="desktop.ini") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="CONFIG.SYS") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="RECYCLER") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="bootmgr") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="programdata") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="appdata") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="program files") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="program files (x86)") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="microsoft") returned 1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="sophos") returned -1 [0078.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0078.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.086] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Connectivity.evtx") returned=".evtx" [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.086] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.086] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Connectivity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0078.086] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.087] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0078.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0078.087] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0078.087] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0078.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0078.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0078.087] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.088] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.090] GetTickCount () returned 0x1154d32 [0078.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.090] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.090] SetLastError (dwErrCode=0x0) [0078.090] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.091] GetLastError () returned 0x0 [0078.091] GetLastError () returned 0x0 [0078.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.091] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.091] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.091] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29892b1b, dwHighDateTime=0x1d5f971)) [0078.091] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.092] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.092] GetProcessHeap () returned 0xbc0000 [0078.092] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.092] GetSystemDefaultLangID () returned 0xbd0409 [0078.092] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.092] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.132] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.132] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.133] GetProcessHeap () returned 0xbc0000 [0078.133] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.133] CloseHandle (hObject=0x260) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0078.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.135] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Connectivity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4connectivity.evtx.nefilim")) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.135] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb151873, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb151873, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Operational.evtx", cAlternateFileName="MI4B6B~1.EVT")) returned 1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2=".") returned 1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="..") returned 1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="...") returned 1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="windows") returned -1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="rsa") returned -1 [0078.135] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="ntldr") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="programdata") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="appdata") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="program files") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="microsoft") returned 1 [0078.136] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="sophos") returned -1 [0078.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0078.136] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.136] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Operational.evtx") returned=".evtx" [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.136] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.137] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0078.137] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.137] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0078.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0078.137] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0078.137] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0078.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0078.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0078.137] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.138] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.139] GetTickCount () returned 0x1154d61 [0078.139] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.139] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.139] SetLastError (dwErrCode=0x0) [0078.139] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.140] GetLastError () returned 0x0 [0078.140] GetLastError () returned 0x0 [0078.140] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.141] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.141] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.141] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29905202, dwHighDateTime=0x1d5f971)) [0078.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.141] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.141] GetProcessHeap () returned 0xbc0000 [0078.141] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.141] GetSystemDefaultLangID () returned 0xbd0409 [0078.141] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.141] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.146] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.146] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.146] GetProcessHeap () returned 0xbc0000 [0078.146] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.146] CloseHandle (hObject=0x260) returned 1 [0078.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0078.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0078.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0078.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0078.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.148] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4operational.evtx.nefilim")) returned 1 [0078.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.149] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb177aca, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb177aca, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-SMBServer%4Security.evtx", cAlternateFileName="MI7709~1.EVT")) returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2=".") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="..") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="...") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="windows") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="rsa") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="NTDETECT.COM") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="ntldr") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="MSDOS.SYS") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="IO.SYS") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="boot.ini") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="ntuser.dat") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="desktop.ini") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="CONFIG.SYS") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="RECYCLER") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="bootmgr") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="programdata") returned -1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="appdata") returned 1 [0078.149] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="program files") returned -1 [0078.150] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="program files (x86)") returned -1 [0078.150] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="microsoft") returned 1 [0078.150] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="sophos") returned -1 [0078.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0078.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.150] PathFindExtensionW (pszPath="Microsoft-Windows-SMBServer%4Security.evtx") returned=".evtx" [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.150] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.150] lstrcmpiW (lpString1="Microsoft-Windows-SMBServer%4Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0078.150] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.150] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0078.151] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.151] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0078.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0078.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0078.151] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.152] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.153] GetTickCount () returned 0x1154d70 [0078.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.153] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.153] SetLastError (dwErrCode=0x0) [0078.153] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.154] GetLastError () returned 0x0 [0078.154] GetLastError () returned 0x0 [0078.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.154] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.154] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2992b45a, dwHighDateTime=0x1d5f971)) [0078.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.154] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.154] GetProcessHeap () returned 0xbc0000 [0078.154] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.154] GetSystemDefaultLangID () returned 0xbd0409 [0078.154] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.155] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.159] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.159] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.159] GetProcessHeap () returned 0xbc0000 [0078.159] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.159] CloseHandle (hObject=0x260) returned 1 [0078.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0078.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0078.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0078.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.161] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-SMBServer%4Security.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-smbserver%4security.evtx.nefilim")) returned 1 [0078.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.162] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd751ea61, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd751ea61, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dd3053, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Store%4Operational.evtx", cAlternateFileName="MICEDD~1.EVT")) returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2=".") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="..") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="...") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="windows") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="rsa") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="ntldr") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="programdata") returned -1 [0078.162] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="appdata") returned 1 [0078.163] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="program files") returned -1 [0078.163] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.163] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="microsoft") returned 1 [0078.163] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="sophos") returned -1 [0078.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0078.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.163] PathFindExtensionW (pszPath="Microsoft-Windows-Store%4Operational.evtx") returned=".evtx" [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.163] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.163] lstrcmpiW (lpString1="Microsoft-Windows-Store%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0078.163] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.633] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0078.633] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.633] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0078.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0078.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0078.633] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.634] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.636] GetTickCount () returned 0x1154f55 [0078.636] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.636] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.636] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.636] SetLastError (dwErrCode=0x0) [0078.636] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.637] GetLastError () returned 0x0 [0078.637] GetLastError () returned 0x0 [0078.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.637] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.637] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29dc9e3e, dwHighDateTime=0x1d5f971)) [0078.637] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.637] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.637] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.637] GetProcessHeap () returned 0xbc0000 [0078.637] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.637] GetSystemDefaultLangID () returned 0xbd0409 [0078.637] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.637] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.643] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.643] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.643] GetProcessHeap () returned 0xbc0000 [0078.643] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.644] CloseHandle (hObject=0x260) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0078.646] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.646] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Store%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-store%4operational.evtx.nefilim")) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.646] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd0763ff, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcd0763ff, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", cAlternateFileName="MIE2F0~1.EVT")) returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2=".") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="..") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="...") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="windows") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="rsa") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="NTDETECT.COM") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="ntldr") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="MSDOS.SYS") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="IO.SYS") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="boot.ini") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="ntuser.dat") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="desktop.ini") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="CONFIG.SYS") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="RECYCLER") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="bootmgr") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="programdata") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="appdata") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="program files") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="program files (x86)") returned -1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="microsoft") returned 1 [0078.647] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="sophos") returned -1 [0078.647] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0078.647] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0078.647] PathFindExtensionW (pszPath="Microsoft-Windows-TaskScheduler%4Maintenance.evtx") returned=".evtx" [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.647] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.648] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.648] lstrcmpiW (lpString1="Microsoft-Windows-TaskScheduler%4Maintenance.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0078.648] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.648] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0078.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0078.648] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0078.648] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0078.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0078.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0078.648] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.649] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.651] GetTickCount () returned 0x1154f64 [0078.651] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.651] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.651] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.651] SetLastError (dwErrCode=0x0) [0078.651] WriteFile (in: hFile=0x260, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.652] GetLastError () returned 0x0 [0078.652] GetLastError () returned 0x0 [0078.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.652] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.652] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29deff4f, dwHighDateTime=0x1d5f971)) [0078.652] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.652] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.652] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.652] GetProcessHeap () returned 0xbc0000 [0078.652] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.652] GetSystemDefaultLangID () returned 0xbd0409 [0078.652] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.652] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.659] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.659] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.660] GetProcessHeap () returned 0xbc0000 [0078.660] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.660] CloseHandle (hObject=0x260) returned 1 [0078.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0078.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0078.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0078.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0078.672] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0078.673] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-taskscheduler%4maintenance.evtx.nefilim")) returned 1 [0078.673] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.673] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.673] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5089d037, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5089d037, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", cAlternateFileName="MIAB1D~1.EVT")) returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2=".") returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="..") returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="...") returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="windows") returned -1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="rsa") returned -1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="ntldr") returned -1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0078.673] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="programdata") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="appdata") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="program files") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="microsoft") returned 1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="sophos") returned -1 [0078.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0078.674] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.674] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx") returned=".evtx" [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.674] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.674] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0078.675] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.675] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0078.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0078.675] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0078.675] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0078.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0078.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0078.675] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.675] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.675] GetTickCount () returned 0x1154ff1 [0078.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680560 [0078.789] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0078.789] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.789] SetLastError (dwErrCode=0x0) [0078.789] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.790] GetLastError () returned 0x0 [0078.790] GetLastError () returned 0x0 [0078.790] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.790] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.790] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.790] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29f50318, dwHighDateTime=0x1d5f971)) [0078.790] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0078.791] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0078.791] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.791] GetProcessHeap () returned 0xbc0000 [0078.791] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.791] GetSystemDefaultLangID () returned 0xbd0409 [0078.791] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.791] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.795] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.795] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.795] GetProcessHeap () returned 0xbc0000 [0078.795] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.796] CloseHandle (hObject=0x260) returned 1 [0078.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0078.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0078.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0078.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0078.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0078.798] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4admin.evtx.nefilim")) returned 1 [0078.799] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0078.799] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.799] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x508c32a6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x508c32a6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", cAlternateFileName="MI62D3~1.EVT")) returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2=".") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="..") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="...") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="windows") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="rsa") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="ntldr") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="programdata") returned -1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="appdata") returned 1 [0078.799] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="program files") returned -1 [0078.800] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.800] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="microsoft") returned 1 [0078.800] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="sophos") returned -1 [0078.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0078.800] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.800] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx") returned=".evtx" [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.800] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.800] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0078.800] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.800] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0078.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.801] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0078.801] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0078.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0078.801] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.801] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.801] GetTickCount () returned 0x1154ff1 [0078.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0078.801] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0078.801] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.801] SetLastError (dwErrCode=0x0) [0078.801] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.802] GetLastError () returned 0x0 [0078.802] GetLastError () returned 0x0 [0078.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.802] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.802] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.802] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29f50318, dwHighDateTime=0x1d5f971)) [0078.802] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.803] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.803] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.803] GetProcessHeap () returned 0xbc0000 [0078.803] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbed610 [0078.803] GetSystemDefaultLangID () returned 0xbd0409 [0078.803] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.803] ReadFile (in: hFile=0x260, lpBuffer=0xbed610, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.811] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.811] WriteFile (in: hFile=0x260, lpBuffer=0xbed610*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbed610*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.811] GetProcessHeap () returned 0xbc0000 [0078.811] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbed610 | out: hHeap=0xbc0000) returned 1 [0078.811] CloseHandle (hObject=0x260) returned 1 [0078.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0078.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0078.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0078.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0078.815] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-localsessionmanager%4operational.evtx.nefilim")) returned 1 [0078.816] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0078.816] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.816] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc14341c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc14341c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", cAlternateFileName="MIEC03~1.EVT")) returned 1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2=".") returned 1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="..") returned 1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="...") returned 1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="windows") returned -1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="rsa") returned -1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="NTDETECT.COM") returned -1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="ntldr") returned -1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="MSDOS.SYS") returned -1 [0078.816] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="IO.SYS") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="boot.ini") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="ntuser.dat") returned -1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="desktop.ini") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="CONFIG.SYS") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="RECYCLER") returned -1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="bootmgr") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="programdata") returned -1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="appdata") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="program files") returned -1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="program files (x86)") returned -1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="microsoft") returned 1 [0078.817] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="sophos") returned -1 [0078.817] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0078.817] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.817] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx") returned=".evtx" [0078.817] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.817] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.817] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.818] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.818] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.818] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0078.818] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.820] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.820] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.820] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0078.821] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.821] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0078.821] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0078.821] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0078.821] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.823] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.825] GetTickCount () returned 0x1155010 [0078.825] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680560 [0078.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0078.825] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.825] SetLastError (dwErrCode=0x0) [0078.825] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.827] GetLastError () returned 0x0 [0078.827] GetLastError () returned 0x0 [0078.827] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.827] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.827] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.827] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x29f9c70a, dwHighDateTime=0x1d5f971)) [0078.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0078.828] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0078.828] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.828] GetProcessHeap () returned 0xbc0000 [0078.828] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0078.828] GetSystemDefaultLangID () returned 0xbd0409 [0078.828] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.828] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.835] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.835] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.835] GetProcessHeap () returned 0xbc0000 [0078.835] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0078.835] CloseHandle (hObject=0x260) returned 1 [0078.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0078.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0078.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0078.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0078.876] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4admin.evtx.nefilim")) returned 1 [0078.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0078.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.877] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcc1b5b23, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcc1b5b23, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", cAlternateFileName="MI1F5D~1.EVT")) returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2=".") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="..") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="...") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="windows") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="rsa") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="ntldr") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.877] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="programdata") returned -1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="appdata") returned 1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="program files") returned -1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="microsoft") returned 1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="sophos") returned -1 [0078.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0078.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.878] PathFindExtensionW (pszPath="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx") returned=".evtx" [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.878] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.878] lstrcmpiW (lpString1="Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0078.878] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.881] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0078.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.881] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0078.881] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0078.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0078.881] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.881] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.883] GetTickCount () returned 0x115504f [0078.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0078.883] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0078.883] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.883] SetLastError (dwErrCode=0x0) [0078.883] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.884] GetLastError () returned 0x0 [0078.884] GetLastError () returned 0x0 [0078.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.884] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.884] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.884] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a035117, dwHighDateTime=0x1d5f971)) [0078.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.884] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.884] GetProcessHeap () returned 0xbc0000 [0078.884] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0078.885] GetSystemDefaultLangID () returned 0xbd0409 [0078.885] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.885] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.890] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.890] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.890] GetProcessHeap () returned 0xbc0000 [0078.890] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0078.890] CloseHandle (hObject=0x260) returned 1 [0078.892] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0078.892] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0078.892] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df40 | out: hHeap=0x2680000) returned 1 [0078.892] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0078.892] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-terminalservices-remoteconnectionmanager%4operational.evtx.nefilim")) returned 1 [0078.893] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0078.893] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0078.893] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd74ac348, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd74ac348, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-TWinUI%4Operational.evtx", cAlternateFileName="MIA925~1.EVT")) returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2=".") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="..") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="...") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="windows") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="rsa") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="ntldr") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="programdata") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="appdata") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="program files") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="microsoft") returned 1 [0078.893] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="sophos") returned -1 [0078.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be48 [0078.894] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.894] PathFindExtensionW (pszPath="Microsoft-Windows-TWinUI%4Operational.evtx") returned=".evtx" [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.894] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.894] lstrcmpiW (lpString1="Microsoft-Windows-TWinUI%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.894] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2681278 [0078.894] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.894] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.894] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0078.894] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.894] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0078.894] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.894] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0078.894] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0078.894] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.896] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.899] GetTickCount () returned 0x115505e [0078.899] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.899] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.899] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.899] SetLastError (dwErrCode=0x0) [0078.899] WriteFile (in: hFile=0x260, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.900] GetLastError () returned 0x0 [0078.900] GetLastError () returned 0x0 [0078.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.900] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.900] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.900] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a05b3d5, dwHighDateTime=0x1d5f971)) [0078.901] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.901] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.901] GetProcessHeap () returned 0xbc0000 [0078.901] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0078.901] GetSystemDefaultLangID () returned 0xbd0409 [0078.901] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.902] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0078.906] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.906] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0078.906] GetProcessHeap () returned 0xbc0000 [0078.907] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0078.907] CloseHandle (hObject=0x260) returned 1 [0078.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0078.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0078.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0078.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0078.909] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0078.909] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-TWinUI%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-twinui%4operational.evtx.nefilim")) returned 1 [0078.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0078.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0078.992] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50aff605, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50aff605, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-User Profile Service%4Operational.evtx", cAlternateFileName="MI4D4C~1.EVT")) returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2=".") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="..") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="...") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="windows") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="rsa") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="ntldr") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="IO.SYS") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="boot.ini") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="desktop.ini") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="RECYCLER") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="bootmgr") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="programdata") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="appdata") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="program files") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="program files (x86)") returned -1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="microsoft") returned 1 [0078.993] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="sophos") returned -1 [0078.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0078.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be48 | out: hHeap=0x2680000) returned 1 [0078.993] PathFindExtensionW (pszPath="Microsoft-Windows-User Profile Service%4Operational.evtx") returned=".evtx" [0078.993] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0078.993] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0078.993] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0078.993] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0078.993] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0078.994] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0078.994] lstrcmpiW (lpString1="Microsoft-Windows-User Profile Service%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0078.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0078.994] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0078.994] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0078.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0078.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0078.994] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0078.994] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0078.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0078.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0078.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0078.996] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0078.997] GetTickCount () returned 0x11550bc [0078.997] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0078.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.997] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.997] SetLastError (dwErrCode=0x0) [0078.997] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.998] GetLastError () returned 0x0 [0078.998] GetLastError () returned 0x0 [0078.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.998] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0078.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.998] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a1401c1, dwHighDateTime=0x1d5f971)) [0078.998] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0078.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0078.998] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0078.998] GetProcessHeap () returned 0xbc0000 [0078.998] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0078.998] GetSystemDefaultLangID () returned 0xbd0409 [0078.998] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0078.998] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.003] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.003] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.003] GetProcessHeap () returned 0xbc0000 [0079.003] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.003] CloseHandle (hObject=0x260) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.006] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0079.006] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-User Profile Service%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-user profile service%4operational.evtx.nefilim")) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.006] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50981e6e, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50981e6e, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-UserPnp%4ActionCenter.evtx", cAlternateFileName="MI5FF0~1.EVT")) returned 1 [0079.006] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2=".") returned 1 [0079.006] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="..") returned 1 [0079.006] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="...") returned 1 [0079.006] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="windows") returned -1 [0079.006] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="rsa") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="NTDETECT.COM") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="ntldr") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="MSDOS.SYS") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="IO.SYS") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="boot.ini") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="ntuser.dat") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="desktop.ini") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="CONFIG.SYS") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="RECYCLER") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="bootmgr") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="programdata") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="appdata") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="program files") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="program files (x86)") returned -1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="microsoft") returned 1 [0079.007] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="sophos") returned -1 [0079.007] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0079.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.007] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4ActionCenter.evtx") returned=".evtx" [0079.007] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.007] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.007] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.007] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.007] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.008] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.008] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4ActionCenter.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.008] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0079.008] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.008] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.008] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.008] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0079.008] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.008] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0079.008] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0079.008] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0079.008] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.009] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.011] GetTickCount () returned 0x11550cc [0079.011] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.011] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.011] SetLastError (dwErrCode=0x0) [0079.011] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.012] GetLastError () returned 0x0 [0079.012] GetLastError () returned 0x0 [0079.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.012] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.012] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.012] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a166441, dwHighDateTime=0x1d5f971)) [0079.012] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.012] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.012] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.012] GetProcessHeap () returned 0xbc0000 [0079.012] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.013] GetSystemDefaultLangID () returned 0xbd0409 [0079.013] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.013] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.017] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.017] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.017] GetProcessHeap () returned 0xbc0000 [0079.017] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.018] CloseHandle (hObject=0x260) returned 1 [0079.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0079.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0079.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0079.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.019] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4ActionCenter.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4actioncenter.evtx.nefilim")) returned 1 [0079.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0079.020] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5095bc04, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x5095bc04, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", cAlternateFileName="MIBD88~1.EVT")) returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2=".") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="..") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="...") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="windows") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="rsa") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="NTDETECT.COM") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="ntldr") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="MSDOS.SYS") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="IO.SYS") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="boot.ini") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="ntuser.dat") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="desktop.ini") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="CONFIG.SYS") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="RECYCLER") returned -1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.020] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="bootmgr") returned 1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="programdata") returned -1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="appdata") returned 1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="program files") returned -1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="program files (x86)") returned -1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="microsoft") returned 1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="sophos") returned -1 [0079.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0079.021] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.021] PathFindExtensionW (pszPath="Microsoft-Windows-UserPnp%4DeviceInstall.evtx") returned=".evtx" [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.021] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.021] lstrcmpiW (lpString1="Microsoft-Windows-UserPnp%4DeviceInstall.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0079.021] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.022] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0079.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.022] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0079.022] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0079.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0079.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.023] GetTickCount () returned 0x11550db [0079.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.023] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.023] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.023] SetLastError (dwErrCode=0x0) [0079.023] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.024] GetLastError () returned 0x0 [0079.024] GetLastError () returned 0x0 [0079.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.024] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.024] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.024] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a18c636, dwHighDateTime=0x1d5f971)) [0079.025] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.025] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.025] GetProcessHeap () returned 0xbc0000 [0079.025] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.025] GetSystemDefaultLangID () returned 0xbd0409 [0079.025] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.025] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.080] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.080] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.080] GetProcessHeap () returned 0xbc0000 [0079.080] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.080] CloseHandle (hObject=0x260) returned 1 [0079.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0079.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0079.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.082] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-userpnp%4deviceinstall.evtx.nefilim")) returned 1 [0079.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.083] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50b97f64, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50b97f64, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", cAlternateFileName="MICC17~1.EVT")) returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2=".") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="..") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="...") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="windows") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="rsa") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="ntldr") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="IO.SYS") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="boot.ini") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="desktop.ini") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="RECYCLER") returned -1 [0079.083] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="bootmgr") returned 1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="programdata") returned -1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="appdata") returned 1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="program files") returned -1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="program files (x86)") returned -1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="microsoft") returned 1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="sophos") returned -1 [0079.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0079.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0079.084] PathFindExtensionW (pszPath="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx") returned=".evtx" [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.084] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.084] lstrcmpiW (lpString1="Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0079.084] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.085] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0079.085] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.085] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0079.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0079.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0079.085] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.087] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.088] GetTickCount () returned 0x115511a [0079.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.088] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.088] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.088] SetLastError (dwErrCode=0x0) [0079.088] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.089] GetLastError () returned 0x0 [0079.089] GetLastError () returned 0x0 [0079.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.089] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.089] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a224f09, dwHighDateTime=0x1d5f971)) [0079.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.089] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.089] GetProcessHeap () returned 0xbc0000 [0079.089] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.089] GetSystemDefaultLangID () returned 0xbd0409 [0079.089] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.089] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.094] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.094] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.094] GetProcessHeap () returned 0xbc0000 [0079.094] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.094] CloseHandle (hObject=0x260) returned 1 [0079.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0079.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0079.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0079.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0079.096] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-volumesnapshot-driver%4operational.evtx.nefilim")) returned 1 [0079.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.097] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc986efe1, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc986efe1, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Wcmsvc%4Operational.evtx", cAlternateFileName="MI72BF~1.EVT")) returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2=".") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="..") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="...") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="windows") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="rsa") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="ntldr") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="IO.SYS") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="boot.ini") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="desktop.ini") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="RECYCLER") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="bootmgr") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="programdata") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="appdata") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="program files") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="program files (x86)") returned -1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="microsoft") returned 1 [0079.097] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="sophos") returned -1 [0079.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0079.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.098] PathFindExtensionW (pszPath="Microsoft-Windows-Wcmsvc%4Operational.evtx") returned=".evtx" [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.098] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.098] lstrcmpiW (lpString1="Microsoft-Windows-Wcmsvc%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0079.098] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.098] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0079.098] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.098] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0079.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0079.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0079.098] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.099] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.099] GetTickCount () returned 0x115511a [0079.099] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.099] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.099] SetLastError (dwErrCode=0x0) [0079.099] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.101] GetLastError () returned 0x0 [0079.101] GetLastError () returned 0x0 [0079.101] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.101] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.101] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.101] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a24b26e, dwHighDateTime=0x1d5f971)) [0079.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.102] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.102] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.102] GetProcessHeap () returned 0xbc0000 [0079.102] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.102] GetSystemDefaultLangID () returned 0xbd0409 [0079.102] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.102] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.106] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.106] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.106] GetProcessHeap () returned 0xbc0000 [0079.106] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.106] CloseHandle (hObject=0x260) returned 1 [0079.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0079.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0079.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0079.108] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.108] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Wcmsvc%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wcmsvc%4operational.evtx.nefilim")) returned 1 [0079.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0079.109] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb426548, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb426548, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Defender%4Operational.evtx", cAlternateFileName="MI7501~1.EVT")) returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2=".") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="..") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="...") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="windows") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="rsa") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="ntldr") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="IO.SYS") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="boot.ini") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="desktop.ini") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="RECYCLER") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="bootmgr") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="programdata") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="appdata") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="program files") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="program files (x86)") returned -1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="microsoft") returned 1 [0079.109] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="sophos") returned -1 [0079.109] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.109] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4Operational.evtx") returned=".evtx" [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.109] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.110] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.110] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0079.110] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.110] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0079.110] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.110] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0079.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0079.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0079.110] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.112] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.113] GetTickCount () returned 0x115512a [0079.113] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.113] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.113] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.113] SetLastError (dwErrCode=0x0) [0079.113] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.114] GetLastError () returned 0x0 [0079.114] GetLastError () returned 0x0 [0079.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.114] WriteFile (in: hFile=0x260, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.114] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a24b26e, dwHighDateTime=0x1d5f971)) [0079.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.114] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.114] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.114] GetProcessHeap () returned 0xbc0000 [0079.114] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.114] GetSystemDefaultLangID () returned 0xbd0409 [0079.114] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.114] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.152] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.153] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.153] GetProcessHeap () returned 0xbc0000 [0079.153] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.153] CloseHandle (hObject=0x260) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0079.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0079.155] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4operational.evtx.nefilim")) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.156] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb4729e7, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcb4729e7, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Defender%4WHC.evtx", cAlternateFileName="MIF226~1.EVT")) returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2=".") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="..") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="...") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="windows") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="rsa") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="NTDETECT.COM") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="ntldr") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="MSDOS.SYS") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="IO.SYS") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="boot.ini") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="ntuser.dat") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="desktop.ini") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="CONFIG.SYS") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="RECYCLER") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="bootmgr") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="programdata") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="appdata") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="program files") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="program files (x86)") returned -1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="microsoft") returned 1 [0079.156] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="sophos") returned -1 [0079.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0079.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.156] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Defender%4WHC.evtx") returned=".evtx" [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.156] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.157] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.157] lstrcmpiW (lpString1="Microsoft-Windows-Windows Defender%4WHC.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0079.157] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.157] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0079.157] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.157] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0079.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0079.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0079.157] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.157] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.158] GetTickCount () returned 0x1155158 [0079.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.158] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.158] SetLastError (dwErrCode=0x0) [0079.158] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.159] GetLastError () returned 0x0 [0079.159] GetLastError () returned 0x0 [0079.159] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.159] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.160] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.160] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a2bdaa9, dwHighDateTime=0x1d5f971)) [0079.160] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.160] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.160] GetProcessHeap () returned 0xbc0000 [0079.160] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.160] GetSystemDefaultLangID () returned 0xbd0409 [0079.160] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.160] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.164] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.164] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.165] GetProcessHeap () returned 0xbc0000 [0079.165] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.165] CloseHandle (hObject=0x260) returned 1 [0079.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0079.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0079.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.167] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Defender%4WHC.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows defender%4whc.evtx.nefilim")) returned 1 [0079.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0079.167] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd4b19353, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd4b19353, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", cAlternateFileName="MIDCC7~1.EVT")) returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2=".") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="..") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="...") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="windows") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="rsa") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="NTDETECT.COM") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="ntldr") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="MSDOS.SYS") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="IO.SYS") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="boot.ini") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="ntuser.dat") returned -1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="desktop.ini") returned 1 [0079.167] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="CONFIG.SYS") returned 1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="RECYCLER") returned -1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="bootmgr") returned 1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="programdata") returned -1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="appdata") returned 1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="program files") returned -1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="program files (x86)") returned -1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="microsoft") returned 1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="sophos") returned -1 [0079.168] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268bd90 [0079.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.168] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx") returned=".evtx" [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.168] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.168] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.168] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x26804b8 [0079.168] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.169] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0079.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.169] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0079.169] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0079.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0079.169] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.169] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.170] GetTickCount () returned 0x1155168 [0079.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.170] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.170] SetLastError (dwErrCode=0x0) [0079.170] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.171] GetLastError () returned 0x0 [0079.171] GetLastError () returned 0x0 [0079.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.171] WriteFile (in: hFile=0x260, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.171] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.172] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a2e3d5f, dwHighDateTime=0x1d5f971)) [0079.172] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.172] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.172] GetProcessHeap () returned 0xbc0000 [0079.172] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.173] GetSystemDefaultLangID () returned 0xbd0409 [0079.173] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.173] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.177] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.177] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.178] GetProcessHeap () returned 0xbc0000 [0079.178] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.178] CloseHandle (hObject=0x260) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.180] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e2e8 [0079.180] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4connectionsecurity.evtx.nefilim")) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0079.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.180] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9c9b1b6, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9c9b1b6, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", cAlternateFileName="MI7771~1.EVT")) returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2=".") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="..") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="...") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="windows") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="rsa") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="NTDETECT.COM") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="ntldr") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="MSDOS.SYS") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="IO.SYS") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="boot.ini") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="ntuser.dat") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="desktop.ini") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="CONFIG.SYS") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="RECYCLER") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="bootmgr") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="programdata") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="appdata") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="program files") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="program files (x86)") returned -1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="microsoft") returned 1 [0079.181] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="sophos") returned -1 [0079.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x26804b8 [0079.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.181] PathFindExtensionW (pszPath="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx") returned=".evtx" [0079.181] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.181] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.181] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.181] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.181] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.182] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.182] lstrcmpiW (lpString1="Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0079.182] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.183] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0079.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0079.183] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.183] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0079.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0079.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0079.183] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.184] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.185] GetTickCount () returned 0x1155178 [0079.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2680570 [0079.185] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680570 | out: hHeap=0x2680000) returned 1 [0079.185] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.185] SetLastError (dwErrCode=0x0) [0079.185] WriteFile (in: hFile=0x260, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.186] GetLastError () returned 0x0 [0079.186] GetLastError () returned 0x0 [0079.186] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.186] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.187] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.187] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2a30afc7, dwHighDateTime=0x1d5f971)) [0079.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.187] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.187] GetProcessHeap () returned 0xbc0000 [0079.187] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2ced020 [0079.189] GetSystemDefaultLangID () returned 0xbd0409 [0079.189] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.189] ReadFile (in: hFile=0x260, lpBuffer=0x2ced020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ced020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0079.877] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.877] WriteFile (in: hFile=0x260, lpBuffer=0x2ced020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ced020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0079.882] GetProcessHeap () returned 0xbc0000 [0079.882] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ced020 | out: hHeap=0xbc0000) returned 1 [0079.887] CloseHandle (hObject=0x260) returned 1 [0079.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0079.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0079.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0079.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e2e8 [0079.951] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-windows firewall with advanced security%4firewall.evtx.nefilim")) returned 1 [0079.952] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0079.952] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.952] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc9df26e9, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xc9df26e9, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1dace07, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", cAlternateFileName="MI4667~1.EVT")) returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2=".") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="..") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="...") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="windows") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="rsa") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="NTDETECT.COM") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="ntldr") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="MSDOS.SYS") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="IO.SYS") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="boot.ini") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="ntuser.dat") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="desktop.ini") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="CONFIG.SYS") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="RECYCLER") returned -1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="bootmgr") returned 1 [0079.952] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="programdata") returned -1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="appdata") returned 1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="program files") returned -1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="program files (x86)") returned -1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="microsoft") returned 1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="sophos") returned -1 [0079.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0079.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.953] PathFindExtensionW (pszPath="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx") returned=".evtx" [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.953] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.953] lstrcmpiW (lpString1="Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0079.953] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.953] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0079.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.954] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0079.954] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0079.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0079.954] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.954] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.955] GetTickCount () returned 0x1155475 [0079.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.955] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.955] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.955] SetLastError (dwErrCode=0x0) [0079.955] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.956] GetLastError () returned 0x0 [0079.956] GetLastError () returned 0x0 [0079.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.956] WriteFile (in: hFile=0x260, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.956] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.956] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2aa57353, dwHighDateTime=0x1d5f971)) [0079.957] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.957] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.957] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.957] GetProcessHeap () returned 0xbc0000 [0079.957] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.958] GetSystemDefaultLangID () returned 0xbd0409 [0079.958] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.958] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.963] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.963] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.963] GetProcessHeap () returned 0xbc0000 [0079.963] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.963] CloseHandle (hObject=0x260) returned 1 [0079.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0079.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0079.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0079.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0079.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268bd90 [0079.965] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wininet-config%4proxyconfigchanged.evtx.nefilim")) returned 1 [0079.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0079.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.966] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd122d184, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xd122d184, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-Winlogon%4Operational.evtx", cAlternateFileName="MID6AB~1.EVT")) returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2=".") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="..") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="...") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="windows") returned -1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="rsa") returned -1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="ntldr") returned -1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="IO.SYS") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="boot.ini") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.966] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="desktop.ini") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="RECYCLER") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="bootmgr") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="programdata") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="appdata") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="program files") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="program files (x86)") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="microsoft") returned 1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="sophos") returned -1 [0079.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0079.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.967] PathFindExtensionW (pszPath="Microsoft-Windows-Winlogon%4Operational.evtx") returned=".evtx" [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.967] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.967] lstrcmpiW (lpString1="Microsoft-Windows-Winlogon%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0079.967] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.968] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0079.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0079.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0079.968] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0079.968] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0079.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0079.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0079.968] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.969] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.970] GetTickCount () returned 0x1155485 [0079.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.970] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.970] SetLastError (dwErrCode=0x0) [0079.970] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.971] GetLastError () returned 0x0 [0079.971] GetLastError () returned 0x0 [0079.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.971] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.971] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.971] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2aa7d450, dwHighDateTime=0x1d5f971)) [0079.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.972] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.972] GetProcessHeap () returned 0xbc0000 [0079.972] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0079.972] GetSystemDefaultLangID () returned 0xbd0409 [0079.972] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.972] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0079.977] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.977] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0079.977] GetProcessHeap () returned 0xbc0000 [0079.977] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0079.977] CloseHandle (hObject=0x260) returned 1 [0079.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0079.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0079.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0079.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0079.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.979] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-Winlogon%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-winlogon%4operational.evtx.nefilim")) returned 1 [0079.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0079.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0079.980] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf164b9b, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0xcf164b9b, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x101000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Microsoft-Windows-WMI-Activity%4Operational.evtx", cAlternateFileName="MIFF83~1.EVT")) returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2=".") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="..") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="...") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="windows") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="$RECYCLE.BIN") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="rsa") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="NTDETECT.COM") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="ntldr") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="MSDOS.SYS") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="IO.SYS") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="boot.ini") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="ntuser.dat") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="desktop.ini") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="CONFIG.SYS") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="RECYCLER") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="BOOTSECT.BAK") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="bootmgr") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="programdata") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="appdata") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="program files") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="program files (x86)") returned -1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="microsoft") returned 1 [0079.980] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="sophos") returned -1 [0079.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2681278 [0079.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0079.980] PathFindExtensionW (pszPath="Microsoft-Windows-WMI-Activity%4Operational.evtx") returned=".evtx" [0079.980] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0079.980] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0079.980] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0079.980] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0079.980] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0079.981] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0079.981] lstrcmpiW (lpString1="Microsoft-Windows-WMI-Activity%4Operational.evtx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0079.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0079.981] CreateFileW (lpFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0079.981] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1052672) returned 1 [0079.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0079.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0079.981] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0079.981] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0079.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0079.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0079.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0079.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0079.983] GetTickCount () returned 0x1155495 [0079.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0079.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.983] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.983] SetLastError (dwErrCode=0x0) [0079.983] WriteFile (in: hFile=0x260, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.984] GetLastError () returned 0x0 [0079.984] GetLastError () returned 0x0 [0079.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.984] WriteFile (in: hFile=0x260, lpBuffer=0x29d0280*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0280*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0079.984] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x101200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.984] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2aaa3824, dwHighDateTime=0x1d5f971)) [0079.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0079.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0079.984] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0079.984] GetProcessHeap () returned 0xbc0000 [0079.984] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x101000) returned 0x2cee020 [0079.987] GetSystemDefaultLangID () returned 0xbd0409 [0079.987] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0079.987] ReadFile (in: hFile=0x260, lpBuffer=0x2cee020, nNumberOfBytesToRead=0x101000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2cee020*, lpNumberOfBytesRead=0x25bf15c*=0x101000, lpOverlapped=0x0) returned 1 [0080.135] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.135] WriteFile (in: hFile=0x260, lpBuffer=0x2cee020*, nNumberOfBytesToWrite=0x101000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2cee020*, lpNumberOfBytesWritten=0x25bf150*=0x101000, lpOverlapped=0x0) returned 1 [0080.137] GetProcessHeap () returned 0xbc0000 [0080.137] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2cee020 | out: hHeap=0xbc0000) returned 1 [0080.142] CloseHandle (hObject=0x260) returned 1 [0080.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0080.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0280 | out: hHeap=0x2680000) returned 1 [0080.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0080.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0080.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0080.159] MoveFileW (lpExistingFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx"), lpNewFileName="C:\\Logs\\Microsoft-Windows-WMI-Activity%4Operational.evtx.NEFILIM" (normalized: "c:\\logs\\microsoft-windows-wmi-activity%4operational.evtx.nefilim")) returned 1 [0080.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0080.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0080.160] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xf9a458f4, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Security.evtx", cAlternateFileName="SECURI~1.EVT")) returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2=".") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="..") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="...") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="windows") returned -1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="$RECYCLE.BIN") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="rsa") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="NTDETECT.COM") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="ntldr") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="MSDOS.SYS") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="IO.SYS") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="boot.ini") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0080.160] lstrcmpiW (lpString1="Security.evtx", lpString2="ntuser.dat") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="desktop.ini") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="CONFIG.SYS") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="RECYCLER") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="BOOTSECT.BAK") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="bootmgr") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="programdata") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="appdata") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="program files") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="program files (x86)") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="microsoft") returned 1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="sophos") returned -1 [0080.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0080.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0080.161] PathFindExtensionW (pszPath="Security.evtx") returned=".evtx" [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0080.161] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0080.161] lstrcmpiW (lpString1="Security.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0080.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0080.161] CreateFileW (lpFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0080.162] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1118208) returned 1 [0080.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0080.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0080.162] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0080.162] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0080.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0080.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0080.162] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0080.163] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0080.353] GetTickCount () returned 0x115560c [0080.353] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0080.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0080.353] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.353] SetLastError (dwErrCode=0x0) [0080.353] WriteFile (in: hFile=0x260, lpBuffer=0x29d1930*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1930*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0080.354] GetLastError () returned 0x0 [0080.354] GetLastError () returned 0x0 [0080.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.355] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0080.355] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.355] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2ae36f20, dwHighDateTime=0x1d5f971)) [0080.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0080.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0080.355] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0080.355] GetProcessHeap () returned 0xbc0000 [0080.355] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x111000) returned 0x2ced020 [0080.358] GetSystemDefaultLangID () returned 0xbd0409 [0080.358] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.358] ReadFile (in: hFile=0x260, lpBuffer=0x2ced020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2ced020*, lpNumberOfBytesRead=0x25bf15c*=0x111000, lpOverlapped=0x0) returned 1 [0080.806] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.806] WriteFile (in: hFile=0x260, lpBuffer=0x2ced020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2ced020*, lpNumberOfBytesWritten=0x25bf150*=0x111000, lpOverlapped=0x0) returned 1 [0080.809] GetProcessHeap () returned 0xbc0000 [0080.809] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ced020 | out: hHeap=0xbc0000) returned 1 [0080.814] CloseHandle (hObject=0x260) returned 1 [0080.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1930 | out: hHeap=0x2680000) returned 1 [0080.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0080.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0080.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0080.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0080.881] MoveFileW (lpExistingFileName="C:\\Logs\\Security.evtx" (normalized: "c:\\logs\\security.evtx"), lpNewFileName="C:\\Logs\\Security.evtx.NEFILIM" (normalized: "c:\\logs\\security.evtx.nefilim")) returned 1 [0080.882] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0080.882] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0080.882] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95a6db2c, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x95a6db2c, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xa1d86ba0, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Setup.evtx", cAlternateFileName="SETUP~1.EVT")) returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2=".") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="..") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="...") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="windows") returned -1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="$RECYCLE.BIN") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="rsa") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="NTDETECT.COM") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="ntldr") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="MSDOS.SYS") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="IO.SYS") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="boot.ini") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="ntuser.dat") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="desktop.ini") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="CONFIG.SYS") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="RECYCLER") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="BOOTSECT.BAK") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="bootmgr") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="programdata") returned 1 [0080.882] lstrcmpiW (lpString1="Setup.evtx", lpString2="appdata") returned 1 [0080.883] lstrcmpiW (lpString1="Setup.evtx", lpString2="program files") returned 1 [0080.883] lstrcmpiW (lpString1="Setup.evtx", lpString2="program files (x86)") returned 1 [0080.883] lstrcmpiW (lpString1="Setup.evtx", lpString2="microsoft") returned 1 [0080.883] lstrcmpiW (lpString1="Setup.evtx", lpString2="sophos") returned -1 [0080.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0080.883] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0080.883] PathFindExtensionW (pszPath="Setup.evtx") returned=".evtx" [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0080.883] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0080.883] lstrcmpiW (lpString1="Setup.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0080.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0080.883] CreateFileW (lpFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0080.883] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0080.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0080.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0080.884] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0080.884] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0080.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0080.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0080.884] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0080.886] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0080.887] GetTickCount () returned 0x115581f [0080.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0080.887] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0080.887] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.887] SetLastError (dwErrCode=0x0) [0080.887] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0080.888] GetLastError () returned 0x0 [0080.888] GetLastError () returned 0x0 [0080.888] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.888] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0080.888] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.888] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2b347f59, dwHighDateTime=0x1d5f971)) [0080.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0080.888] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0080.888] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0080.888] GetProcessHeap () returned 0xbc0000 [0080.888] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0080.888] GetSystemDefaultLangID () returned 0xbd0409 [0080.888] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.889] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0080.893] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0080.893] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0081.023] GetProcessHeap () returned 0xbc0000 [0081.023] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0081.023] CloseHandle (hObject=0x260) returned 1 [0081.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0081.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0081.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0081.025] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0081.025] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0081.025] MoveFileW (lpExistingFileName="C:\\Logs\\Setup.evtx" (normalized: "c:\\logs\\setup.evtx"), lpNewFileName="C:\\Logs\\Setup.evtx.NEFILIM" (normalized: "c:\\logs\\setup.evtx.nefilim")) returned 1 [0081.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0081.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.026] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x505097c4, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x505097c4, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0xd96d7ac9, ftLastWriteTime.dwHighDateTime=0x1d1a04f, nFileSizeHigh=0x0, nFileSizeLow=0x111000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="System.evtx", cAlternateFileName="SYSTEM~1.EVT")) returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2=".") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="..") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="...") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="windows") returned -1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="$RECYCLE.BIN") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="rsa") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="NTDETECT.COM") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="ntldr") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="MSDOS.SYS") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="IO.SYS") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="boot.ini") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="ntuser.dat") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="desktop.ini") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="CONFIG.SYS") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="RECYCLER") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="BOOTSECT.BAK") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="bootmgr") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="programdata") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="appdata") returned 1 [0081.026] lstrcmpiW (lpString1="System.evtx", lpString2="program files") returned 1 [0081.027] lstrcmpiW (lpString1="System.evtx", lpString2="program files (x86)") returned 1 [0081.027] lstrcmpiW (lpString1="System.evtx", lpString2="microsoft") returned 1 [0081.027] lstrcmpiW (lpString1="System.evtx", lpString2="sophos") returned 1 [0081.027] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0081.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.027] PathFindExtensionW (pszPath="System.evtx") returned=".evtx" [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0081.027] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0081.027] lstrcmpiW (lpString1="System.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0081.027] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0081.027] CreateFileW (lpFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0081.028] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1118208) returned 1 [0081.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0081.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0081.028] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0081.028] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0081.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0081.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0081.028] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0081.029] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0081.029] GetTickCount () returned 0x11558ab [0081.029] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0081.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0081.029] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.029] SetLastError (dwErrCode=0x0) [0081.029] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.030] GetLastError () returned 0x0 [0081.030] GetLastError () returned 0x0 [0081.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.030] WriteFile (in: hFile=0x260, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.030] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x111200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.030] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2b49f343, dwHighDateTime=0x1d5f971)) [0081.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0081.030] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0081.030] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0081.030] GetProcessHeap () returned 0xbc0000 [0081.030] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x111000) returned 0x2cea020 [0081.033] GetSystemDefaultLangID () returned 0xbd0409 [0081.033] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.033] ReadFile (in: hFile=0x260, lpBuffer=0x2cea020, nNumberOfBytesToRead=0x111000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0x2cea020*, lpNumberOfBytesRead=0x25bf15c*=0x111000, lpOverlapped=0x0) returned 1 [0081.291] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.291] WriteFile (in: hFile=0x260, lpBuffer=0x2cea020*, nNumberOfBytesToWrite=0x111000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2cea020*, lpNumberOfBytesWritten=0x25bf150*=0x111000, lpOverlapped=0x0) returned 1 [0081.294] GetProcessHeap () returned 0xbc0000 [0081.294] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2cea020 | out: hHeap=0xbc0000) returned 1 [0081.299] CloseHandle (hObject=0x260) returned 1 [0081.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0081.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0081.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0081.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0081.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812b0 [0081.742] MoveFileW (lpExistingFileName="C:\\Logs\\System.evtx" (normalized: "c:\\logs\\system.evtx"), lpNewFileName="C:\\Logs\\System.evtx.NEFILIM" (normalized: "c:\\logs\\system.evtx.nefilim")) returned 1 [0081.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0081.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.743] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2=".") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="..") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="...") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="windows") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="$RECYCLE.BIN") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="rsa") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="NTDETECT.COM") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="ntldr") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="MSDOS.SYS") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="IO.SYS") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="boot.ini") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="AUTOEXEC.BAT") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="ntuser.dat") returned 1 [0081.743] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="desktop.ini") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="CONFIG.SYS") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="RECYCLER") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="BOOTSECT.BAK") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="bootmgr") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="programdata") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="appdata") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="program files") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="program files (x86)") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="microsoft") returned 1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="sophos") returned 1 [0081.744] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0081.744] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.744] PathFindExtensionW (pszPath="Windows PowerShell.evtx") returned=".evtx" [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".exe") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".log") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".cab") returned 1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".cmd") returned 1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".com") returned 1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".cpl") returned 1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".ini") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".dll") returned 1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".url") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".ttf") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".mp3") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".pif") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".mp4") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".NEFILIM") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".msi") returned -1 [0081.744] lstrcmpiW (lpString1=".evtx", lpString2=".lnk") returned -1 [0081.744] lstrcmpiW (lpString1="Windows PowerShell.evtx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0081.744] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0081.744] CreateFileW (lpFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0081.745] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=69632) returned 1 [0081.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0081.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0081.745] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0081.745] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0081.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0081.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0081.745] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0081.745] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0081.746] GetTickCount () returned 0x1155b7a [0081.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812c0 [0081.746] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.746] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.746] SetLastError (dwErrCode=0x0) [0081.746] WriteFile (in: hFile=0x260, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.747] GetLastError () returned 0x0 [0081.747] GetLastError () returned 0x0 [0081.747] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.747] WriteFile (in: hFile=0x260, lpBuffer=0x29d09b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d09b8*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.748] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x11200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.748] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2bb7a774, dwHighDateTime=0x1d5f971)) [0081.748] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0081.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.748] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0081.748] GetProcessHeap () returned 0xbc0000 [0081.748] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11000) returned 0xbee618 [0081.749] GetSystemDefaultLangID () returned 0xbd0409 [0081.749] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.749] ReadFile (in: hFile=0x260, lpBuffer=0xbee618, nNumberOfBytesToRead=0x11000, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesRead=0x25bf15c*=0x11000, lpOverlapped=0x0) returned 1 [0081.754] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.754] WriteFile (in: hFile=0x260, lpBuffer=0xbee618*, nNumberOfBytesToWrite=0x11000, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbee618*, lpNumberOfBytesWritten=0x25bf150*=0x11000, lpOverlapped=0x0) returned 1 [0081.754] GetProcessHeap () returned 0xbc0000 [0081.754] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbee618 | out: hHeap=0xbc0000) returned 1 [0081.754] CloseHandle (hObject=0x260) returned 1 [0081.756] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0081.756] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d09b8 | out: hHeap=0x2680000) returned 1 [0081.756] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e078 | out: hHeap=0x2680000) returned 1 [0081.756] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e198 | out: hHeap=0x2680000) returned 1 [0081.756] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0081.756] MoveFileW (lpExistingFileName="C:\\Logs\\Windows PowerShell.evtx" (normalized: "c:\\logs\\windows powershell.evtx"), lpNewFileName="C:\\Logs\\Windows PowerShell.evtx.NEFILIM" (normalized: "c:\\logs\\windows powershell.evtx.nefilim")) returned 1 [0081.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.757] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x50555c8d, ftCreationTime.dwHighDateTime=0x1d1a04e, ftLastAccessTime.dwLowDateTime=0x50555c8d, ftLastAccessTime.dwHighDateTime=0x1d1a04e, ftLastWriteTime.dwLowDateTime=0x95ae023d, ftLastWriteTime.dwHighDateTime=0x1d1a04e, nFileSizeHigh=0x0, nFileSizeLow=0x11000, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="Windows PowerShell.evtx", cAlternateFileName="WINDOW~1.EVT")) returned 0 [0081.757] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0081.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0081.757] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x16fb7968, ftCreationTime.dwHighDateTime=0x1d5f971, ftLastAccessTime.dwLowDateTime=0x16fb7968, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x16fb7968, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x34e, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NEFILIM-DECRYPT.txt", cAlternateFileName="NEFILI~1.TXT")) returned 1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2=".") returned 1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="..") returned 1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="...") returned 1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="windows") returned -1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="$RECYCLE.BIN") returned 1 [0081.757] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="rsa") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="NTDETECT.COM") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="ntldr") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="MSDOS.SYS") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="IO.SYS") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="boot.ini") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="AUTOEXEC.BAT") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="ntuser.dat") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="desktop.ini") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="CONFIG.SYS") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="RECYCLER") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="BOOTSECT.BAK") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="bootmgr") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="programdata") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="appdata") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="program files") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="program files (x86)") returned -1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="microsoft") returned 1 [0081.758] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="sophos") returned -1 [0081.758] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0081.758] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0081.758] PathFindExtensionW (pszPath="NEFILIM-DECRYPT.txt") returned=".txt" [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0081.758] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0081.759] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0081.759] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0081.759] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0081.759] lstrcmpiW (lpString1="NEFILIM-DECRYPT.txt", lpString2="NEFILIM-DECRYPT.txt") returned 0 [0081.759] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6e97b025, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6e97b025, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xaced8ceb, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x28000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="pagefile.sys", cAlternateFileName="")) returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2=".") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="..") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="...") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="windows") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="$RECYCLE.BIN") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="rsa") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="NTDETECT.COM") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntldr") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="MSDOS.SYS") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="IO.SYS") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="boot.ini") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="AUTOEXEC.BAT") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="ntuser.dat") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="desktop.ini") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="CONFIG.SYS") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="RECYCLER") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="BOOTSECT.BAK") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="bootmgr") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="programdata") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="appdata") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="program files (x86)") returned -1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="microsoft") returned 1 [0081.759] lstrcmpiW (lpString1="pagefile.sys", lpString2="sophos") returned -1 [0081.759] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0081.759] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.759] PathFindExtensionW (pszPath="pagefile.sys") returned=".sys" [0081.759] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0081.759] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0081.759] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0081.760] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0081.760] lstrcmpiW (lpString1="pagefile.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0081.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0081.760] CreateFileW (lpFileName="C:\\pagefile.sys" (normalized: "c:\\pagefile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.760] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bf458 | out: lpFileSize=0x25bf458*=75031468087965748) returned 0 [0081.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e198 [0081.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e078 [0081.760] SystemFunction036 (in: RandomBuffer=0x268e198, RandomBufferLength=0x10 | out: RandomBuffer=0x268e198) returned 1 [0081.760] SystemFunction036 (in: RandomBuffer=0x268e078, RandomBufferLength=0x10 | out: RandomBuffer=0x268e078) returned 1 [0081.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1930 [0081.760] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d09b8 [0081.760] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1930*, pdwDataLen=0x25bf418*=0x10, dwBufLen=0x100 | out: pbData=0x29d1930*, pdwDataLen=0x25bf418*=0x100) returned 1 [0081.762] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d09b8*, pdwDataLen=0x25bf414*=0x10, dwBufLen=0x100 | out: pbData=0x29d09b8*, pdwDataLen=0x25bf414*=0x100) returned 1 [0081.763] GetTickCount () returned 0x1155b8a [0081.763] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0081.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.763] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0081.763] SetLastError (dwErrCode=0x0) [0081.763] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1930, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0) returned 0 [0081.763] GetLastError () returned 0x6 [0081.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0081.763] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PerfLogs", cAlternateFileName="")) returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2=".") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="..") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="...") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="windows") returned -1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="$RECYCLE.BIN") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="rsa") returned -1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="NTDETECT.COM") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="ntldr") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="MSDOS.SYS") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="IO.SYS") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="boot.ini") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="AUTOEXEC.BAT") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="ntuser.dat") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="desktop.ini") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="CONFIG.SYS") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="RECYCLER") returned -1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="BOOTSECT.BAK") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="bootmgr") returned 1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="programdata") returned -1 [0081.763] lstrcmpiW (lpString1="PerfLogs", lpString2="appdata") returned 1 [0081.764] lstrcmpiW (lpString1="PerfLogs", lpString2="program files") returned -1 [0081.764] lstrcmpiW (lpString1="PerfLogs", lpString2="program files (x86)") returned -1 [0081.764] lstrcmpiW (lpString1="PerfLogs", lpString2="microsoft") returned 1 [0081.764] lstrcmpiW (lpString1="PerfLogs", lpString2="sophos") returned -1 [0081.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0081.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0081.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0081.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2682328 [0081.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0081.764] FindFirstFileW (in: lpFileName="C:\\PerfLogs\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xbe2648 [0081.868] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.868] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0081.868] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.868] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.868] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xa03748ae, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17b3dd09, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 0 [0081.868] FindClose (in: hFindFile=0xbe2648 | out: hFindFile=0xbe2648) returned 1 [0081.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0081.868] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17b3dd09, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xed30b93e, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xed30b93e, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files", cAlternateFileName="PROGRA~1")) returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2=".") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="..") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="...") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="windows") returned -1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="$RECYCLE.BIN") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="rsa") returned -1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="NTDETECT.COM") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="ntldr") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="MSDOS.SYS") returned 1 [0081.868] lstrcmpiW (lpString1="Program Files", lpString2="IO.SYS") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="boot.ini") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="AUTOEXEC.BAT") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="ntuser.dat") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="desktop.ini") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="CONFIG.SYS") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="RECYCLER") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="BOOTSECT.BAK") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="bootmgr") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="programdata") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="appdata") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files", lpString2="program files") returned 0 [0081.869] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xe7a165b3, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xe7a165b3, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Program Files (x86)", cAlternateFileName="PROGRA~2")) returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2=".") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="..") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="...") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="windows") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="$RECYCLE.BIN") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="rsa") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="NTDETECT.COM") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntldr") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="MSDOS.SYS") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="IO.SYS") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="boot.ini") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="AUTOEXEC.BAT") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="ntuser.dat") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="desktop.ini") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="CONFIG.SYS") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="RECYCLER") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="BOOTSECT.BAK") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="bootmgr") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="programdata") returned -1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="appdata") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files") returned 1 [0081.869] lstrcmpiW (lpString1="Program Files (x86)", lpString2="program files (x86)") returned 0 [0081.869] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ProgramData", cAlternateFileName="PROGRA~3")) returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2=".") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="..") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="...") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="windows") returned -1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="$RECYCLE.BIN") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="rsa") returned -1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="NTDETECT.COM") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="ntldr") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="MSDOS.SYS") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="IO.SYS") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="boot.ini") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="AUTOEXEC.BAT") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="ntuser.dat") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="desktop.ini") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="CONFIG.SYS") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="RECYCLER") returned -1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="BOOTSECT.BAK") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="bootmgr") returned 1 [0081.870] lstrcmpiW (lpString1="ProgramData", lpString2="programdata") returned 0 [0081.870] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2=".") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="..") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="...") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="windows") returned -1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="$RECYCLE.BIN") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="rsa") returned -1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="NTDETECT.COM") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="ntldr") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="MSDOS.SYS") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="IO.SYS") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="boot.ini") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="AUTOEXEC.BAT") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="ntuser.dat") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="desktop.ini") returned 1 [0081.870] lstrcmpiW (lpString1="Recovery", lpString2="CONFIG.SYS") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="RECYCLER") returned -1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="BOOTSECT.BAK") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="bootmgr") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="programdata") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="appdata") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="program files") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="program files (x86)") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="microsoft") returned 1 [0081.871] lstrcmpiW (lpString1="Recovery", lpString2="sophos") returned -1 [0081.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0081.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0081.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0081.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2682328 [0081.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0081.871] FindFirstFileW (in: lpFileName="C:\\Recovery\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0081.872] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.872] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0081.872] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.872] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.872] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="Logs", cAlternateFileName="")) returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0081.872] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0081.873] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0081.873] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0081.873] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0081.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0081.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0081.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0081.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0081.873] FindFirstFileW (in: lpFileName="C:\\Recovery\\Logs\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0081.873] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.873] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.873] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.873] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.873] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x28e9c3a2, ftCreationTime.dwHighDateTime=0x1d32795, ftLastAccessTime.dwLowDateTime=0x28e9c3a2, ftLastAccessTime.dwHighDateTime=0x1d32795, ftLastWriteTime.dwLowDateTime=0x28e9c3a2, ftLastWriteTime.dwHighDateTime=0x1d32795, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.873] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0081.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0081.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.873] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2=".") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="..") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="...") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="windows") returned -1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="$RECYCLE.BIN") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="rsa") returned -1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="NTDETECT.COM") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="ntldr") returned 1 [0081.873] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="MSDOS.SYS") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="IO.SYS") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="boot.ini") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="AUTOEXEC.BAT") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="ntuser.dat") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="desktop.ini") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="CONFIG.SYS") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="RECYCLER") returned -1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="BOOTSECT.BAK") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="bootmgr") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="programdata") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="appdata") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="program files") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="program files (x86)") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="microsoft") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="sophos") returned -1 [0081.874] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0081.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.874] PathFindExtensionW (pszPath="ReAgentOld.xml") returned=".xml" [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0081.874] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0081.874] lstrcmpiW (lpString1="ReAgentOld.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0081.875] CreateFileW (lpFileName="C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x260 [0081.875] GetFileSizeEx (in: hFile=0x260, lpFileSize=0x25bf138 | out: lpFileSize=0x25bf138*=1006) returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0081.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0081.875] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0081.875] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0081.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0081.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0081.875] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf0f8*=0x100) returned 1 [0081.876] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25bf0f4*=0x100) returned 1 [0081.876] GetTickCount () returned 0x1155bf7 [0081.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812c0 [0081.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.876] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.876] SetLastError (dwErrCode=0x0) [0081.876] WriteFile (in: hFile=0x260, lpBuffer=0x29d0cd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d0cd0*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.878] GetLastError () returned 0x0 [0081.878] GetLastError () returned 0x0 [0081.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.878] WriteFile (in: hFile=0x260, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25bf150*=0x100, lpOverlapped=0x0) returned 1 [0081.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x5ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.878] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bf10c | out: lpSystemTimeAsFileTime=0x25bf10c*(dwLowDateTime=0x2bcab2c9, dwHighDateTime=0x1d5f971)) [0081.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0081.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.878] WriteFile (in: hFile=0x260, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bf150*=0x7, lpOverlapped=0x0) returned 1 [0081.878] GetProcessHeap () returned 0xbc0000 [0081.878] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3ee) returned 0xbe3f48 [0081.878] GetSystemDefaultLangID () returned 0xbd0409 [0081.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.878] ReadFile (in: hFile=0x260, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x3ee, lpNumberOfBytesRead=0x25bf15c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25bf15c*=0x3ee, lpOverlapped=0x0) returned 1 [0081.878] SetFilePointerEx (in: hFile=0x260, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.878] WriteFile (in: hFile=0x260, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x3ee, lpNumberOfBytesWritten=0x25bf150, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25bf150*=0x3ee, lpOverlapped=0x0) returned 1 [0081.878] GetProcessHeap () returned 0xbc0000 [0081.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0081.878] CloseHandle (hObject=0x260) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0cd0 | out: hHeap=0x2680000) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e090 | out: hHeap=0x2680000) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0081.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0081.880] MoveFileW (lpExistingFileName="C:\\Recovery\\ReAgentOld.xml" (normalized: "c:\\recovery\\reagentold.xml"), lpNewFileName="C:\\Recovery\\ReAgentOld.xml.NEFILIM" (normalized: "c:\\recovery\\reagentold.xml.nefilim")) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.880] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1044dfc5, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x1044dfc5, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x1044dfc5, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3ee, dwReserved0=0x2681478, dwReserved1=0x9, cFileName="ReAgentOld.xml", cAlternateFileName="REAGEN~1.XML")) returned 0 [0081.880] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0081.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0081.881] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6ead2556, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0x6ead2556, ftLastAccessTime.dwHighDateTime=0x1d3275c, ftLastWriteTime.dwLowDateTime=0xacefef79, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x10000000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="swapfile.sys", cAlternateFileName="")) returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2=".") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="..") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="...") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="windows") returned -1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="$RECYCLE.BIN") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="rsa") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="NTDETECT.COM") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="ntldr") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="MSDOS.SYS") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="IO.SYS") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="boot.ini") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="AUTOEXEC.BAT") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="ntuser.dat") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="desktop.ini") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="CONFIG.SYS") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="RECYCLER") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="BOOTSECT.BAK") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="bootmgr") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="programdata") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="appdata") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="program files") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="program files (x86)") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="microsoft") returned 1 [0081.881] lstrcmpiW (lpString1="swapfile.sys", lpString2="sophos") returned 1 [0081.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0081.881] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0081.881] PathFindExtensionW (pszPath="swapfile.sys") returned=".sys" [0081.881] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0081.881] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0081.881] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0081.881] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0081.882] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0081.882] lstrcmpiW (lpString1="swapfile.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0081.882] CreateFileW (lpFileName="C:\\swapfile.sys" (normalized: "c:\\swapfile.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0081.882] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bf458 | out: lpFileSize=0x25bf458*=75031468087965748) returned 0 [0081.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e090 [0081.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df40 [0081.882] SystemFunction036 (in: RandomBuffer=0x268e090, RandomBufferLength=0x10 | out: RandomBuffer=0x268e090) returned 1 [0081.882] SystemFunction036 (in: RandomBuffer=0x268df40, RandomBufferLength=0x10 | out: RandomBuffer=0x268df40) returned 1 [0081.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0280 [0081.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0cd0 [0081.883] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0280*, pdwDataLen=0x25bf418*=0x10, dwBufLen=0x100 | out: pbData=0x29d0280*, pdwDataLen=0x25bf418*=0x100) returned 1 [0081.883] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0cd0*, pdwDataLen=0x25bf414*=0x10, dwBufLen=0x100 | out: pbData=0x29d0cd0*, pdwDataLen=0x25bf414*=0x100) returned 1 [0081.884] GetTickCount () returned 0x1155c07 [0081.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2682328 [0081.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.884] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0081.884] SetLastError (dwErrCode=0x0) [0081.884] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0280, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bf470, lpOverlapped=0x0) returned 0 [0081.884] GetLastError () returned 0x6 [0081.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0081.885] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x6e16f135, ftCreationTime.dwHighDateTime=0x1d3275c, ftLastAccessTime.dwLowDateTime=0xb1ff7ba5, ftLastAccessTime.dwHighDateTime=0x1d336d8, ftLastWriteTime.dwLowDateTime=0xb1ff7ba5, ftLastWriteTime.dwHighDateTime=0x1d336d8, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="System Volume Information", cAlternateFileName="SYSTEM~1")) returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2=".") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="..") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="...") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="windows") returned -1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="$RECYCLE.BIN") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="rsa") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="NTDETECT.COM") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="ntldr") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="MSDOS.SYS") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="IO.SYS") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="boot.ini") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="AUTOEXEC.BAT") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="ntuser.dat") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="desktop.ini") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="CONFIG.SYS") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="RECYCLER") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="BOOTSECT.BAK") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="bootmgr") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="programdata") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="appdata") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="program files") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="program files (x86)") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="microsoft") returned 1 [0081.885] lstrcmpiW (lpString1="System Volume Information", lpString2="sophos") returned 1 [0081.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0081.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0081.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0081.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0081.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0081.885] FindFirstFileW (in: lpFileName="C:\\System Volume Information\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26800c0, ftCreationTime.dwLowDateTime=0x2680284, ftCreationTime.dwHighDateTime=0x2dc3eb96, ftLastAccessTime.dwLowDateTime=0x83079bfa, ftLastAccessTime.dwHighDateTime=0x14000014, ftLastWriteTime.dwLowDateTime=0x779b15ca, ftLastWriteTime.dwHighDateTime=0xc2f97a18, nFileSizeHigh=0x2680000, nFileSizeLow=0x9000009, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨ⌨ɨ:")) returned 0xffffffff [0081.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0081.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0081.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.886] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2=".") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="..") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="...") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="windows") returned -1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="$RECYCLE.BIN") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="rsa") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="NTDETECT.COM") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="ntldr") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="MSDOS.SYS") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="IO.SYS") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="boot.ini") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="AUTOEXEC.BAT") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="ntuser.dat") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="desktop.ini") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="CONFIG.SYS") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="RECYCLER") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="BOOTSECT.BAK") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="bootmgr") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="programdata") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="appdata") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="program files") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="program files (x86)") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="microsoft") returned 1 [0081.886] lstrcmpiW (lpString1="Users", lpString2="sophos") returned 1 [0081.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681478 [0081.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0081.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26820d0 [0081.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2682328 [0081.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0081.887] FindFirstFileW (in: lpFileName="C:\\Users\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName=".", cAlternateFileName="")) returned 0xbe2848 [0081.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.887] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26820d0, dwReserved1=0x9, cFileName="..", cAlternateFileName="")) returned 1 [0081.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.887] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.887] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x9, cFileName="All Users", cAlternateFileName="ALLUSE~1")) returned 1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2=".") returned 1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="..") returned 1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="...") returned 1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="windows") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="$RECYCLE.BIN") returned 1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="rsa") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="NTDETECT.COM") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="ntldr") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="MSDOS.SYS") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="IO.SYS") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="boot.ini") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="AUTOEXEC.BAT") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="ntuser.dat") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="desktop.ini") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="CONFIG.SYS") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="RECYCLER") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="BOOTSECT.BAK") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="bootmgr") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="programdata") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="appdata") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="program files") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="program files (x86)") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="microsoft") returned -1 [0081.887] lstrcmpiW (lpString1="All Users", lpString2="sophos") returned -1 [0081.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x2681278 [0081.888] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0081.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26814b8 [0081.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26812b0 [0081.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0081.888] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2a88 [0081.888] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.888] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x450f4738, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x450f4738, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.889] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.889] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.889] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Adobe", cAlternateFileName="")) returned 1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2=".") returned 1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="..") returned 1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="...") returned 1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="windows") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="$RECYCLE.BIN") returned 1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="rsa") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="NTDETECT.COM") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="ntldr") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="MSDOS.SYS") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="IO.SYS") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="boot.ini") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="AUTOEXEC.BAT") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="ntuser.dat") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="desktop.ini") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="CONFIG.SYS") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="RECYCLER") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="BOOTSECT.BAK") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="bootmgr") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="programdata") returned -1 [0081.889] lstrcmpiW (lpString1="Adobe", lpString2="appdata") returned -1 [0081.890] lstrcmpiW (lpString1="Adobe", lpString2="program files") returned -1 [0081.890] lstrcmpiW (lpString1="Adobe", lpString2="program files (x86)") returned -1 [0081.890] lstrcmpiW (lpString1="Adobe", lpString2="microsoft") returned -1 [0081.890] lstrcmpiW (lpString1="Adobe", lpString2="sophos") returned -1 [0081.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804f0 [0081.890] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680538 [0081.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0081.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bdd8 [0081.890] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0081.892] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.892] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x450f4738, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x4511a9a6, ftLastAccessTime.dwHighDateTime=0x1d327cd, ftLastWriteTime.dwLowDateTime=0x4511a9a6, ftLastWriteTime.dwHighDateTime=0x1d327cd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.892] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.892] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.892] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2=".") returned 1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="..") returned 1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="...") returned 1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="windows") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="$RECYCLE.BIN") returned 1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="rsa") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="NTDETECT.COM") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="ntldr") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="MSDOS.SYS") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="IO.SYS") returned -1 [0081.892] lstrcmpiW (lpString1="ARM", lpString2="boot.ini") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="AUTOEXEC.BAT") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="ntuser.dat") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="desktop.ini") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="CONFIG.SYS") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="RECYCLER") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="BOOTSECT.BAK") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="bootmgr") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="programdata") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="appdata") returned 1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="program files") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="program files (x86)") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="microsoft") returned -1 [0081.893] lstrcmpiW (lpString1="ARM", lpString2="sophos") returned -1 [0081.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be20 [0081.893] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdd8 | out: hHeap=0x2680000) returned 1 [0081.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bdd8 [0081.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be68 [0081.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0081.893] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0081.935] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.936] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.936] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.936] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.936] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_15.007.20033", cAlternateFileName="READER~1.200")) returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2=".") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="..") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="...") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="windows") returned -1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="$RECYCLE.BIN") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="rsa") returned -1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="NTDETECT.COM") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="ntldr") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="MSDOS.SYS") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="IO.SYS") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="boot.ini") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="AUTOEXEC.BAT") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="ntuser.dat") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="desktop.ini") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="CONFIG.SYS") returned 1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="RECYCLER") returned -1 [0081.936] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="BOOTSECT.BAK") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="bootmgr") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="programdata") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="appdata") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="program files") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="program files (x86)") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="microsoft") returned 1 [0081.937] lstrcmpiW (lpString1="Reader_15.007.20033", lpString2="sophos") returned -1 [0081.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0081.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0081.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e3b8 [0081.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e430 [0081.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e4a8 [0081.937] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.007.20033\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe25c8 [0081.938] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.938] FindNextFileW (in: hFindFile=0xbe25c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.939] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.939] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.939] FindNextFileW (in: hFindFile=0xbe25c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x53050818, ftCreationTime.dwHighDateTime=0x1d35e02, ftLastAccessTime.dwLowDateTime=0xfb2ddff7, ftLastAccessTime.dwHighDateTime=0x1d35e02, ftLastWriteTime.dwLowDateTime=0x3268450e, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.939] FindClose (in: hFindFile=0xbe25c8 | out: hFindFile=0xbe25c8) returned 1 [0081.939] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4a8 | out: hHeap=0x2680000) returned 1 [0081.939] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e430 | out: hHeap=0x2680000) returned 1 [0081.939] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0081.939] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0xa7140105, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Reader_15.023.20070", cAlternateFileName="READER~2.200")) returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2=".") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="..") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="...") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="windows") returned -1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="$RECYCLE.BIN") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="rsa") returned -1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="NTDETECT.COM") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="ntldr") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="MSDOS.SYS") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="IO.SYS") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="boot.ini") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="AUTOEXEC.BAT") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="ntuser.dat") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="desktop.ini") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="CONFIG.SYS") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="RECYCLER") returned -1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="BOOTSECT.BAK") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="bootmgr") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="programdata") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="appdata") returned 1 [0081.939] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="program files") returned 1 [0081.940] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="program files (x86)") returned 1 [0081.940] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="microsoft") returned 1 [0081.940] lstrcmpiW (lpString1="Reader_15.023.20070", lpString2="sophos") returned -1 [0081.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e3b8 [0081.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0081.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0081.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e430 [0081.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e4a8 [0081.940] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\Reader_15.023.20070\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe28c8 [0081.940] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.940] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.940] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.940] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.940] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d2868f, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xa7140105, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x2797fc81, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.940] FindClose (in: hFindFile=0xbe28c8 | out: hFindFile=0xbe28c8) returned 1 [0081.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4a8 | out: hHeap=0x2680000) returned 1 [0081.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e430 | out: hHeap=0x2680000) returned 1 [0081.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0081.940] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S", cAlternateFileName="")) returned 1 [0081.940] lstrcmpiW (lpString1="S", lpString2=".") returned 1 [0081.940] lstrcmpiW (lpString1="S", lpString2="..") returned 1 [0081.940] lstrcmpiW (lpString1="S", lpString2="...") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="windows") returned -1 [0081.941] lstrcmpiW (lpString1="S", lpString2="$RECYCLE.BIN") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="rsa") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="NTDETECT.COM") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="ntldr") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="MSDOS.SYS") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="IO.SYS") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="boot.ini") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="AUTOEXEC.BAT") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="ntuser.dat") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="desktop.ini") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="CONFIG.SYS") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="RECYCLER") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="BOOTSECT.BAK") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="bootmgr") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="programdata") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="appdata") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="program files") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="program files (x86)") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="microsoft") returned 1 [0081.941] lstrcmpiW (lpString1="S", lpString2="sophos") returned -1 [0081.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0081.941] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0081.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e330 [0081.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e378 [0081.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e3c0 [0081.941] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Adobe\\ARM\\S\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0081.942] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.942] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.942] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.942] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.942] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.942] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c0 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e378 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e330 | out: hHeap=0x2680000) returned 1 [0081.942] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xdcb711fb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0x3c33d412, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x4b9b7315, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S", cAlternateFileName="")) returned 0 [0081.942] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdd8 | out: hHeap=0x2680000) returned 1 [0081.942] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x1d327cd, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ARM", cAlternateFileName="")) returned 0 [0081.942] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be20 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680538 | out: hHeap=0x2680000) returned 1 [0081.942] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0081.942] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0081.942] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0081.942] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0081.942] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0081.943] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0081.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680538 [0081.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804f0 | out: hHeap=0x2680000) returned 1 [0081.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0081.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0081.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bde8 [0081.943] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Application Data\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x4511a9a6, ftCreationTime.dwHighDateTime=0x29000029, ftLastAccessTime.dwLowDateTime=0x28e82a8b, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x28e82a8b, ftLastWriteTime.dwHighDateTime=0x29000029, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨԸɨH")) returned 0xffffffff [0081.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde8 | out: hHeap=0x2680000) returned 1 [0081.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.944] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Comms", cAlternateFileName="")) returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2=".") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="..") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="...") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="windows") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="$RECYCLE.BIN") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="rsa") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="NTDETECT.COM") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="ntldr") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="MSDOS.SYS") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="IO.SYS") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="boot.ini") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="AUTOEXEC.BAT") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="ntuser.dat") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="desktop.ini") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="CONFIG.SYS") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="RECYCLER") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="BOOTSECT.BAK") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="bootmgr") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="programdata") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="appdata") returned 1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="program files") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="program files (x86)") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="microsoft") returned -1 [0081.944] lstrcmpiW (lpString1="Comms", lpString2="sophos") returned -1 [0081.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0081.944] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680538 | out: hHeap=0x2680000) returned 1 [0081.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0081.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0081.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0081.944] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Comms\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe25c8 [0081.945] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.945] FindNextFileW (in: hFindFile=0xbe25c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.945] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.945] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.945] FindNextFileW (in: hFindFile=0xbe25c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0081.945] FindClose (in: hFindFile=0xbe25c8 | out: hFindFile=0xbe25c8) returned 1 [0081.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0081.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0081.946] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0081.946] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0081.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0081.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0081.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0081.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0081.946] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Desktop\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0xc00000c, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x29000029, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨԀɨ6")) returned 0xffffffff [0081.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0081.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.947] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x78624286, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x78624286, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x78624286, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0081.947] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0081.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0081.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0081.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0081.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0081.948] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0081.948] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x29000029, ftLastAccessTime.dwLowDateTime=0xbcb1c5f2, ftLastAccessTime.dwHighDateTime=0xc00000c, ftLastWriteTime.dwLowDateTime=0xcb9c8f, ftLastWriteTime.dwHighDateTime=0x29000029, nFileSizeHigh=0x2680000, nFileSizeLow=0xc00000c, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊԀɨҸɨ:")) returned 0xffffffff [0081.948] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.948] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0081.948] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0081.948] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc93dc4da, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xc93dc4da, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2=".") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="..") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="...") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="windows") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="$RECYCLE.BIN") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="rsa") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="NTDETECT.COM") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="ntldr") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="MSDOS.SYS") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="IO.SYS") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="boot.ini") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="AUTOEXEC.BAT") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="ntuser.dat") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="desktop.ini") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="CONFIG.SYS") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="RECYCLER") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="BOOTSECT.BAK") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="bootmgr") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="programdata") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="appdata") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="program files") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="program files (x86)") returned -1 [0081.948] lstrcmpiW (lpString1="Microsoft", lpString2="microsoft") returned 0 [0081.948] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Microsoft OneDrive", cAlternateFileName="MICROS~2")) returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2=".") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="..") returned 1 [0081.948] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="...") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="windows") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="$RECYCLE.BIN") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="rsa") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="NTDETECT.COM") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="ntldr") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="MSDOS.SYS") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="IO.SYS") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="boot.ini") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="AUTOEXEC.BAT") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="ntuser.dat") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="desktop.ini") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="CONFIG.SYS") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="RECYCLER") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="BOOTSECT.BAK") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="bootmgr") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="programdata") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="appdata") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="program files") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="program files (x86)") returned -1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="microsoft") returned 1 [0081.949] lstrcmpiW (lpString1="Microsoft OneDrive", lpString2="sophos") returned -1 [0081.949] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0081.949] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0081.949] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0081.949] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bde8 [0081.949] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be40 [0081.949] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0081.951] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.951] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3ecd6462, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x3ecd6462, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.951] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.951] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.951] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2=".") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="..") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="...") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="windows") returned -1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="$RECYCLE.BIN") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="rsa") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="NTDETECT.COM") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="ntldr") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="MSDOS.SYS") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="IO.SYS") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="boot.ini") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="AUTOEXEC.BAT") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="ntuser.dat") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="desktop.ini") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="CONFIG.SYS") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="RECYCLER") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="BOOTSECT.BAK") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="bootmgr") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="programdata") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="appdata") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="program files") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="program files (x86)") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="microsoft") returned 1 [0081.951] lstrcmpiW (lpString1="setup", lpString2="sophos") returned -1 [0081.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0081.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0081.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be40 [0081.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0081.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e3b8 [0081.952] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Microsoft OneDrive\\setup\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0081.952] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.952] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.952] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.952] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.952] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2=".") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="..") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="...") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="windows") returned -1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="$RECYCLE.BIN") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="rsa") returned -1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="NTDETECT.COM") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="ntldr") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="MSDOS.SYS") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="IO.SYS") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="boot.ini") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="AUTOEXEC.BAT") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="ntuser.dat") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="desktop.ini") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="CONFIG.SYS") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="RECYCLER") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="BOOTSECT.BAK") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="bootmgr") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="programdata") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="appdata") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="program files") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="program files (x86)") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="microsoft") returned 1 [0081.952] lstrcmpiW (lpString1="refcount.ini", lpString2="sophos") returned -1 [0081.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e420 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0081.953] PathFindExtensionW (pszPath="refcount.ini") returned=".ini" [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0081.953] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0081.953] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe877edbb, ftCreationTime.dwHighDateTime=0x1d38c43, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="refcount.ini", cAlternateFileName="")) returned 0 [0081.953] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0081.953] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3ecd6462, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe877edbb, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0xe877edbb, ftLastWriteTime.dwHighDateTime=0x1d38c43, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 0 [0081.953] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde8 | out: hHeap=0x2680000) returned 1 [0081.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.953] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Oracle", cAlternateFileName="")) returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2=".") returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="..") returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="...") returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="windows") returned -1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="$RECYCLE.BIN") returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="rsa") returned -1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="NTDETECT.COM") returned 1 [0081.953] lstrcmpiW (lpString1="Oracle", lpString2="ntldr") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="MSDOS.SYS") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="IO.SYS") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="boot.ini") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="AUTOEXEC.BAT") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="ntuser.dat") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="desktop.ini") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="CONFIG.SYS") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="RECYCLER") returned -1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="BOOTSECT.BAK") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="bootmgr") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="programdata") returned -1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="appdata") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="program files") returned -1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="program files (x86)") returned -1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="microsoft") returned 1 [0081.954] lstrcmpiW (lpString1="Oracle", lpString2="sophos") returned -1 [0081.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0081.954] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0081.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0081.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0081.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0081.954] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0081.954] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.954] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa2d56a03, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa2d56a03, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.954] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.955] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.955] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2=".") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="..") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="...") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="windows") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="$RECYCLE.BIN") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="rsa") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="NTDETECT.COM") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="ntldr") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="MSDOS.SYS") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="IO.SYS") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="boot.ini") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="AUTOEXEC.BAT") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="ntuser.dat") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="desktop.ini") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="CONFIG.SYS") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="RECYCLER") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="BOOTSECT.BAK") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="bootmgr") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="programdata") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="appdata") returned 1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="program files") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="program files (x86)") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="microsoft") returned -1 [0081.955] lstrcmpiW (lpString1="Java", lpString2="sophos") returned -1 [0081.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bdd8 [0081.955] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0081.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0081.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be20 [0081.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be68 [0081.955] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0081.956] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.956] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.956] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.956] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.956] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".oracle_jre_usage", cAlternateFileName="ORACLE~1")) returned 1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2=".") returned 1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="..") returned 1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="...") returned 1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="windows") returned -1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="$RECYCLE.BIN") returned 1 [0081.956] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="rsa") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="NTDETECT.COM") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="ntldr") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="MSDOS.SYS") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="IO.SYS") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="boot.ini") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="AUTOEXEC.BAT") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="ntuser.dat") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="desktop.ini") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="CONFIG.SYS") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="RECYCLER") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="BOOTSECT.BAK") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="bootmgr") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="programdata") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="appdata") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="program files") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="program files (x86)") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="microsoft") returned -1 [0081.957] lstrcmpiW (lpString1=".oracle_jre_usage", lpString2="sophos") returned -1 [0081.957] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0081.957] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0081.957] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0081.957] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e3d8 [0081.957] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e450 [0081.957] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0081.958] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.958] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xad14ee36, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xc2d63c47, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xad19b2ee, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0081.958] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.958] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.958] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x0, dwReserved1=0x0, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 1 [0081.958] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2=".") returned 1 [0081.958] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="..") returned 1 [0081.958] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="...") returned 1 [0081.958] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="windows") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="$RECYCLE.BIN") returned 1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="rsa") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="NTDETECT.COM") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="ntldr") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="MSDOS.SYS") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="IO.SYS") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="boot.ini") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="AUTOEXEC.BAT") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="ntuser.dat") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="desktop.ini") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="CONFIG.SYS") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="RECYCLER") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="BOOTSECT.BAK") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="bootmgr") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="programdata") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="appdata") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="program files") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="program files (x86)") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="microsoft") returned -1 [0081.959] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="sophos") returned -1 [0081.959] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e4c8 [0081.959] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e450 | out: hHeap=0x2680000) returned 1 [0081.959] PathFindExtensionW (pszPath="17dfc292991c7c46.timestamp") returned=".timestamp" [0081.959] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812e8 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".exe") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".log") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".cab") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".cmd") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".com") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".cpl") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".ini") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".dll") returned 1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".url") returned -1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".ttf") returned -1 [0081.959] lstrcmpiW (lpString1=".timestamp", lpString2=".mp3") returned 1 [0081.960] lstrcmpiW (lpString1=".timestamp", lpString2=".pif") returned 1 [0081.960] lstrcmpiW (lpString1=".timestamp", lpString2=".mp4") returned 1 [0081.960] lstrcmpiW (lpString1=".timestamp", lpString2=".NEFILIM") returned 1 [0081.960] lstrcmpiW (lpString1=".timestamp", lpString2=".msi") returned 1 [0081.960] lstrcmpiW (lpString1=".timestamp", lpString2=".lnk") returned 1 [0081.960] lstrcmpiW (lpString1="17dfc292991c7c46.timestamp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0081.960] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e570 [0081.960] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0081.961] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=51) returned 1 [0081.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0081.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0081.961] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0081.961] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0081.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0081.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0081.961] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0081.961] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x100) returned 1 [0081.962] GetTickCount () returned 0x1155c55 [0081.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be68 [0081.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0081.962] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.962] SetLastError (dwErrCode=0x0) [0081.962] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0081.963] GetLastError () returned 0x0 [0081.963] GetLastError () returned 0x0 [0081.963] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x133, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.963] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0081.963] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x233, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.963] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x2bd8ffb8, dwHighDateTime=0x1d5f971)) [0081.963] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be68 [0081.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0081.963] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0081.964] GetProcessHeap () returned 0xbc0000 [0081.964] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x33) returned 0xbe28c8 [0081.964] GetSystemDefaultLangID () returned 0xbd0409 [0081.964] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.964] ReadFile (in: hFile=0x274, lpBuffer=0xbe28c8, nNumberOfBytesToRead=0x33, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbe28c8*, lpNumberOfBytesRead=0x25be4dc*=0x33, lpOverlapped=0x0) returned 1 [0081.964] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0081.964] WriteFile (in: hFile=0x274, lpBuffer=0xbe28c8*, nNumberOfBytesToWrite=0x33, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbe28c8*, lpNumberOfBytesWritten=0x25be4d0*=0x33, lpOverlapped=0x0) returned 1 [0081.964] GetProcessHeap () returned 0xbc0000 [0081.964] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe28c8 | out: hHeap=0xbc0000) returned 1 [0081.964] CloseHandle (hObject=0x274) returned 1 [0081.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0081.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0081.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0081.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0081.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e618 [0081.965] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp"), lpNewFileName="C:\\Users\\All Users\\Oracle\\Java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp.NEFILIM" (normalized: "c:\\users\\all users\\oracle\\java\\.oracle_jre_usage\\17dfc292991c7c46.timestamp.nefilim")) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812e8 | out: hHeap=0x2680000) returned 1 [0081.967] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xad19b2ee, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad19b2ee, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x70ca10d9, ftLastWriteTime.dwHighDateTime=0x1d35e02, nFileSizeHigh=0x0, nFileSizeLow=0x33, dwReserved0=0x0, dwReserved1=0x0, cFileName="17dfc292991c7c46.timestamp", cAlternateFileName="17DFC2~1.TIM")) returned 0 [0081.967] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3d8 | out: hHeap=0x2680000) returned 1 [0081.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0081.967] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="installcache_x64", cAlternateFileName="INSTAL~1")) returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2=".") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="..") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="...") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="windows") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="$RECYCLE.BIN") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="rsa") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="NTDETECT.COM") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="ntldr") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="MSDOS.SYS") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="IO.SYS") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="boot.ini") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="AUTOEXEC.BAT") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="ntuser.dat") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="desktop.ini") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="CONFIG.SYS") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="RECYCLER") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="BOOTSECT.BAK") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="bootmgr") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="programdata") returned -1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="appdata") returned 1 [0081.967] lstrcmpiW (lpString1="installcache_x64", lpString2="program files") returned -1 [0081.968] lstrcmpiW (lpString1="installcache_x64", lpString2="program files (x86)") returned -1 [0081.968] lstrcmpiW (lpString1="installcache_x64", lpString2="microsoft") returned -1 [0081.968] lstrcmpiW (lpString1="installcache_x64", lpString2="sophos") returned -1 [0081.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be68 [0081.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x8e) returned 0x268e360 [0081.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0081.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0081.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0081.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e3f8 [0081.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e470 [0081.968] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0081.968] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0081.969] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d7cc62, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa8d35a5d, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa8d35a5d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0081.969] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0081.969] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0081.969] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2=".") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="..") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="...") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="windows") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="$RECYCLE.BIN") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="rsa") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="NTDETECT.COM") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="ntldr") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="MSDOS.SYS") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="IO.SYS") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="boot.ini") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="AUTOEXEC.BAT") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="ntuser.dat") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="desktop.ini") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="CONFIG.SYS") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="RECYCLER") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="BOOTSECT.BAK") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="bootmgr") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="programdata") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="appdata") returned 1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="program files") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="program files (x86)") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="microsoft") returned -1 [0081.969] lstrcmpiW (lpString1="baseimagefam8", lpString2="sophos") returned -1 [0081.969] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e4e8 [0081.969] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e470 | out: hHeap=0x2680000) returned 1 [0081.969] PathFindExtensionW (pszPath="baseimagefam8") returned="" [0081.969] lstrcmpiW (lpString1="", lpString2=".exe") returned -1 [0081.969] lstrcmpiW (lpString1="", lpString2=".log") returned -1 [0081.969] lstrcmpiW (lpString1="", lpString2=".cab") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".cmd") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".com") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".cpl") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".ini") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".dll") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".url") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".ttf") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".mp3") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".pif") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".mp4") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".NEFILIM") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".msi") returned -1 [0081.970] lstrcmpiW (lpString1="", lpString2=".lnk") returned -1 [0081.970] lstrcmpiW (lpString1="baseimagefam8", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0081.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e570 [0081.970] CreateFileW (lpFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0082.022] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=82551925) returned 1 [0082.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0082.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0082.022] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0082.022] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0082.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0082.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0082.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x100) returned 1 [0082.023] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x100) returned 1 [0082.023] GetTickCount () returned 0x1155c84 [0082.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be68 [0082.023] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0082.023] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba475, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.023] SetLastError (dwErrCode=0x0) [0082.023] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0082.026] GetLastError () returned 0x0 [0082.026] GetLastError () returned 0x0 [0082.026] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba575, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.026] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0082.026] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4eba675, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.026] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x2be28948, dwHighDateTime=0x1d5f971)) [0082.026] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be68 [0082.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0082.026] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0082.026] GetProcessHeap () returned 0xbc0000 [0082.026] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.027] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.027] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.042] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.042] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.043] GetProcessHeap () returned 0xbc0000 [0082.043] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.043] GetProcessHeap () returned 0xbc0000 [0082.043] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.043] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.050] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.050] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.050] GetProcessHeap () returned 0xbc0000 [0082.050] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.050] GetProcessHeap () returned 0xbc0000 [0082.050] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.050] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.050] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.059] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.059] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.059] GetProcessHeap () returned 0xbc0000 [0082.059] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.059] GetProcessHeap () returned 0xbc0000 [0082.059] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.059] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.059] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.067] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.067] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.067] GetProcessHeap () returned 0xbc0000 [0082.067] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.067] GetProcessHeap () returned 0xbc0000 [0082.067] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.067] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.067] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.128] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf4240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.128] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.129] GetProcessHeap () returned 0xbc0000 [0082.129] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.131] GetProcessHeap () returned 0xbc0000 [0082.131] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.131] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.131] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.139] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.139] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.140] GetProcessHeap () returned 0xbc0000 [0082.140] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.140] GetProcessHeap () returned 0xbc0000 [0082.140] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.140] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.140] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.147] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.147] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.147] GetProcessHeap () returned 0xbc0000 [0082.147] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.147] GetProcessHeap () returned 0xbc0000 [0082.147] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.147] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.147] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.155] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.155] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.155] GetProcessHeap () returned 0xbc0000 [0082.155] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.156] GetProcessHeap () returned 0xbc0000 [0082.156] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.157] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.157] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.276] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e8480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.276] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.278] GetProcessHeap () returned 0xbc0000 [0082.278] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.278] GetProcessHeap () returned 0xbc0000 [0082.278] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.278] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.278] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.286] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x225510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.286] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.287] GetProcessHeap () returned 0xbc0000 [0082.287] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.287] GetProcessHeap () returned 0xbc0000 [0082.287] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.287] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.287] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.295] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.296] GetProcessHeap () returned 0xbc0000 [0082.296] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.297] GetProcessHeap () returned 0xbc0000 [0082.297] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.298] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.298] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.606] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.606] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.607] GetProcessHeap () returned 0xbc0000 [0082.607] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.607] GetProcessHeap () returned 0xbc0000 [0082.607] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.607] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.607] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.614] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.614] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.614] GetProcessHeap () returned 0xbc0000 [0082.614] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.614] GetProcessHeap () returned 0xbc0000 [0082.614] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.614] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.614] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.671] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x319750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.671] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.672] GetProcessHeap () returned 0xbc0000 [0082.672] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.673] GetProcessHeap () returned 0xbc0000 [0082.673] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.674] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.674] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.736] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.736] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.736] GetProcessHeap () returned 0xbc0000 [0082.736] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.737] GetProcessHeap () returned 0xbc0000 [0082.737] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.737] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.737] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.744] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x393870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.744] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.744] GetProcessHeap () returned 0xbc0000 [0082.744] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.744] GetProcessHeap () returned 0xbc0000 [0082.744] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.744] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.744] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.751] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d0900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.751] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.752] GetProcessHeap () returned 0xbc0000 [0082.752] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.753] GetProcessHeap () returned 0xbc0000 [0082.753] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.754] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.754] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.821] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.821] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.822] GetProcessHeap () returned 0xbc0000 [0082.822] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.822] GetProcessHeap () returned 0xbc0000 [0082.822] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.822] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.829] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.829] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.829] GetProcessHeap () returned 0xbc0000 [0082.829] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.829] GetProcessHeap () returned 0xbc0000 [0082.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.829] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.829] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.874] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.874] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.875] GetProcessHeap () returned 0xbc0000 [0082.875] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.876] GetProcessHeap () returned 0xbc0000 [0082.876] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.877] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.877] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.885] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.885] GetProcessHeap () returned 0xbc0000 [0082.885] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.885] GetProcessHeap () returned 0xbc0000 [0082.885] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.885] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.943] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x501bd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.943] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.944] GetProcessHeap () returned 0xbc0000 [0082.944] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.944] GetProcessHeap () returned 0xbc0000 [0082.944] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.944] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.944] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0082.951] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x53ec60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.951] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0082.951] GetProcessHeap () returned 0xbc0000 [0082.951] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0082.952] GetProcessHeap () returned 0xbc0000 [0082.953] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0082.953] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0082.953] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.003] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x57bcf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.003] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.003] GetProcessHeap () returned 0xbc0000 [0083.003] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.003] GetProcessHeap () returned 0xbc0000 [0083.003] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.003] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.003] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.011] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5b8d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.011] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.011] GetProcessHeap () returned 0xbc0000 [0083.011] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.011] GetProcessHeap () returned 0xbc0000 [0083.011] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.011] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.011] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.061] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x5f5e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.061] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.062] GetProcessHeap () returned 0xbc0000 [0083.062] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.063] GetProcessHeap () returned 0xbc0000 [0083.063] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.064] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x632ea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.072] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.072] GetProcessHeap () returned 0xbc0000 [0083.072] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.072] GetProcessHeap () returned 0xbc0000 [0083.072] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.072] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.131] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x66ff30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.131] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.131] GetProcessHeap () returned 0xbc0000 [0083.131] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.131] GetProcessHeap () returned 0xbc0000 [0083.131] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.131] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.131] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.138] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6acfc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.138] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.139] GetProcessHeap () returned 0xbc0000 [0083.139] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.140] GetProcessHeap () returned 0xbc0000 [0083.140] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.141] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.141] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.245] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6ea050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.245] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.247] GetProcessHeap () returned 0xbc0000 [0083.247] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.247] GetProcessHeap () returned 0xbc0000 [0083.247] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.247] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.247] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.252] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7270e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.252] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.253] GetProcessHeap () returned 0xbc0000 [0083.253] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.253] GetProcessHeap () returned 0xbc0000 [0083.253] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.253] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.253] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.340] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x764170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.340] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.340] GetProcessHeap () returned 0xbc0000 [0083.340] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.342] GetProcessHeap () returned 0xbc0000 [0083.342] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.342] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.342] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.350] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.350] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.351] GetProcessHeap () returned 0xbc0000 [0083.351] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.351] GetProcessHeap () returned 0xbc0000 [0083.351] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.351] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.351] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.360] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7de290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.360] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.361] GetProcessHeap () returned 0xbc0000 [0083.361] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.361] GetProcessHeap () returned 0xbc0000 [0083.361] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.361] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.361] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.442] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x81b320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.442] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.442] GetProcessHeap () returned 0xbc0000 [0083.442] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.443] GetProcessHeap () returned 0xbc0000 [0083.443] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.444] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.444] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.517] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8583b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.517] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.518] GetProcessHeap () returned 0xbc0000 [0083.518] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.518] GetProcessHeap () returned 0xbc0000 [0083.518] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.518] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.518] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.525] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x895440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.525] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.525] GetProcessHeap () returned 0xbc0000 [0083.525] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.525] GetProcessHeap () returned 0xbc0000 [0083.525] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.525] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.525] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.532] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8d24d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.532] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.532] GetProcessHeap () returned 0xbc0000 [0083.532] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.533] GetProcessHeap () returned 0xbc0000 [0083.533] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.534] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.534] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.592] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x90f560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.592] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.592] GetProcessHeap () returned 0xbc0000 [0083.592] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.592] GetProcessHeap () returned 0xbc0000 [0083.592] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.592] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.592] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.646] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x94c5f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.646] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.646] GetProcessHeap () returned 0xbc0000 [0083.647] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.647] GetProcessHeap () returned 0xbc0000 [0083.647] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.647] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.647] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.653] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x989680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.654] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.654] GetProcessHeap () returned 0xbc0000 [0083.654] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.655] GetProcessHeap () returned 0xbc0000 [0083.655] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.656] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.656] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.664] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9c6710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.664] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.664] GetProcessHeap () returned 0xbc0000 [0083.664] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.664] GetProcessHeap () returned 0xbc0000 [0083.664] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.664] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.665] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.880] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa037a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.880] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.880] GetProcessHeap () returned 0xbc0000 [0083.880] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.880] GetProcessHeap () returned 0xbc0000 [0083.880] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.880] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.881] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.928] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa40830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.928] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.928] GetProcessHeap () returned 0xbc0000 [0083.928] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.929] GetProcessHeap () returned 0xbc0000 [0083.929] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.930] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.930] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.939] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa7d8c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.939] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.939] GetProcessHeap () returned 0xbc0000 [0083.939] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.939] GetProcessHeap () returned 0xbc0000 [0083.939] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.939] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.940] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0083.947] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaba950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.947] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0083.947] GetProcessHeap () returned 0xbc0000 [0083.947] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0083.947] GetProcessHeap () returned 0xbc0000 [0083.947] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0083.947] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0083.947] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.010] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xaf79e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.010] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.012] GetProcessHeap () returned 0xbc0000 [0084.012] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.013] GetProcessHeap () returned 0xbc0000 [0084.013] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.014] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.014] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.073] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb34a70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.073] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.073] GetProcessHeap () returned 0xbc0000 [0084.073] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.073] GetProcessHeap () returned 0xbc0000 [0084.074] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.074] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.074] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.081] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb71b00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.081] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.081] GetProcessHeap () returned 0xbc0000 [0084.081] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.081] GetProcessHeap () returned 0xbc0000 [0084.081] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.081] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.081] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.088] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbaeb90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.088] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.089] GetProcessHeap () returned 0xbc0000 [0084.089] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.090] GetProcessHeap () returned 0xbc0000 [0084.090] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.091] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.091] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.145] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xbebc20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.145] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.146] GetProcessHeap () returned 0xbc0000 [0084.146] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.146] GetProcessHeap () returned 0xbc0000 [0084.146] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.146] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.146] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.296] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc28cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.296] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.296] GetProcessHeap () returned 0xbc0000 [0084.296] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.296] GetProcessHeap () returned 0xbc0000 [0084.296] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.296] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.297] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.303] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xc65d40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.303] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.304] GetProcessHeap () returned 0xbc0000 [0084.304] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.305] GetProcessHeap () returned 0xbc0000 [0084.305] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.306] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.306] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.313] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xca2dd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.313] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.314] GetProcessHeap () returned 0xbc0000 [0084.314] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.314] GetProcessHeap () returned 0xbc0000 [0084.314] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.314] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.314] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.321] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcdfe60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.321] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.321] GetProcessHeap () returned 0xbc0000 [0084.321] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.321] GetProcessHeap () returned 0xbc0000 [0084.321] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.321] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.321] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.379] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd1cef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.379] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.380] GetProcessHeap () returned 0xbc0000 [0084.380] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.381] GetProcessHeap () returned 0xbc0000 [0084.381] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.382] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.382] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.391] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd59f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.391] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.391] GetProcessHeap () returned 0xbc0000 [0084.391] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.391] GetProcessHeap () returned 0xbc0000 [0084.391] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.392] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.392] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.398] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xd97010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.399] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.399] GetProcessHeap () returned 0xbc0000 [0084.399] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.399] GetProcessHeap () returned 0xbc0000 [0084.399] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.399] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.399] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.407] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xdd40a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.407] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.407] GetProcessHeap () returned 0xbc0000 [0084.407] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.408] GetProcessHeap () returned 0xbc0000 [0084.408] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.409] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.480] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe11130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.480] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.480] GetProcessHeap () returned 0xbc0000 [0084.480] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.480] GetProcessHeap () returned 0xbc0000 [0084.480] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.480] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.480] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.533] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe4e1c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.533] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.534] GetProcessHeap () returned 0xbc0000 [0084.534] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.534] GetProcessHeap () returned 0xbc0000 [0084.534] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.534] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.534] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.541] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe8b250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.541] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.541] GetProcessHeap () returned 0xbc0000 [0084.541] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.542] GetProcessHeap () returned 0xbc0000 [0084.542] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.543] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.543] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.552] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xec82e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.552] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.552] GetProcessHeap () returned 0xbc0000 [0084.552] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.552] GetProcessHeap () returned 0xbc0000 [0084.552] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.552] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.552] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.749] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf05370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.749] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.749] GetProcessHeap () returned 0xbc0000 [0084.749] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.750] GetProcessHeap () returned 0xbc0000 [0084.750] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.750] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.750] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.755] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.755] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.755] GetProcessHeap () returned 0xbc0000 [0084.755] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.757] GetProcessHeap () returned 0xbc0000 [0084.757] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.757] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.757] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.766] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf7f490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.766] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.767] GetProcessHeap () returned 0xbc0000 [0084.767] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.767] GetProcessHeap () returned 0xbc0000 [0084.767] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.767] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.767] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.774] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xfbc520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.774] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.774] GetProcessHeap () returned 0xbc0000 [0084.774] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.774] GetProcessHeap () returned 0xbc0000 [0084.774] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.774] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.775] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.865] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xff95b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.865] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.866] GetProcessHeap () returned 0xbc0000 [0084.866] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.867] GetProcessHeap () returned 0xbc0000 [0084.867] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.868] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.868] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.875] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1036640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.875] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.876] GetProcessHeap () returned 0xbc0000 [0084.876] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.876] GetProcessHeap () returned 0xbc0000 [0084.876] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.876] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.876] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.883] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10736d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.883] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.883] GetProcessHeap () returned 0xbc0000 [0084.883] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.883] GetProcessHeap () returned 0xbc0000 [0084.883] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.883] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.884] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0084.960] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10b0760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.960] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0084.961] GetProcessHeap () returned 0xbc0000 [0084.961] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0084.962] GetProcessHeap () returned 0xbc0000 [0084.962] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0084.963] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0084.963] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.030] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10ed7f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.030] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.031] GetProcessHeap () returned 0xbc0000 [0085.031] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.031] GetProcessHeap () returned 0xbc0000 [0085.031] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.031] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.031] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.038] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x112a880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.038] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.039] GetProcessHeap () returned 0xbc0000 [0085.039] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.039] GetProcessHeap () returned 0xbc0000 [0085.039] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.039] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.039] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.046] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1167910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.046] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.046] GetProcessHeap () returned 0xbc0000 [0085.046] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.047] GetProcessHeap () returned 0xbc0000 [0085.047] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.048] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.048] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.114] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11a49a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.114] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.114] GetProcessHeap () returned 0xbc0000 [0085.114] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.114] GetProcessHeap () returned 0xbc0000 [0085.115] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.115] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.115] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.174] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11e1a30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.174] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.175] GetProcessHeap () returned 0xbc0000 [0085.175] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.175] GetProcessHeap () returned 0xbc0000 [0085.175] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.175] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.175] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.182] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x121eac0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.182] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.182] GetProcessHeap () returned 0xbc0000 [0085.182] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.183] GetProcessHeap () returned 0xbc0000 [0085.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.184] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.184] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.192] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x125bb50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.192] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.193] GetProcessHeap () returned 0xbc0000 [0085.193] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.193] GetProcessHeap () returned 0xbc0000 [0085.193] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.193] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.193] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.258] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1298be0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.259] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.259] GetProcessHeap () returned 0xbc0000 [0085.259] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.259] GetProcessHeap () returned 0xbc0000 [0085.259] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.259] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.259] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.266] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12d5c70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.266] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.266] GetProcessHeap () returned 0xbc0000 [0085.266] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.267] GetProcessHeap () returned 0xbc0000 [0085.268] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.268] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.268] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.327] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1312d00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.327] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.327] GetProcessHeap () returned 0xbc0000 [0085.327] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.327] GetProcessHeap () returned 0xbc0000 [0085.327] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.327] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.327] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x134fd90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.334] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.334] GetProcessHeap () returned 0xbc0000 [0085.334] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.334] GetProcessHeap () returned 0xbc0000 [0085.334] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.334] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.457] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x138ce20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.457] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.457] GetProcessHeap () returned 0xbc0000 [0085.457] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.458] GetProcessHeap () returned 0xbc0000 [0085.458] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.459] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.459] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.467] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13c9eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.467] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.468] GetProcessHeap () returned 0xbc0000 [0085.468] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.468] GetProcessHeap () returned 0xbc0000 [0085.468] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.468] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.468] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.624] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1406f40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.624] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.624] GetProcessHeap () returned 0xbc0000 [0085.624] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.624] GetProcessHeap () returned 0xbc0000 [0085.624] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.624] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.624] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.631] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1443fd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.631] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.680] GetProcessHeap () returned 0xbc0000 [0085.680] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.681] GetProcessHeap () returned 0xbc0000 [0085.681] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.682] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.682] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.690] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1481060, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.690] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.690] GetProcessHeap () returned 0xbc0000 [0085.690] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.690] GetProcessHeap () returned 0xbc0000 [0085.690] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.690] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.690] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.698] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14be0f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.698] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.698] GetProcessHeap () returned 0xbc0000 [0085.698] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.698] GetProcessHeap () returned 0xbc0000 [0085.698] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.698] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.698] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.752] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14fb180, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.752] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.753] GetProcessHeap () returned 0xbc0000 [0085.753] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.754] GetProcessHeap () returned 0xbc0000 [0085.754] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.755] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.755] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.810] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1538210, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.810] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.810] GetProcessHeap () returned 0xbc0000 [0085.810] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.810] GetProcessHeap () returned 0xbc0000 [0085.810] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.810] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.810] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.817] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15752a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.817] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.818] GetProcessHeap () returned 0xbc0000 [0085.818] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.818] GetProcessHeap () returned 0xbc0000 [0085.818] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.818] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.818] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.825] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15b2330, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.825] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.825] GetProcessHeap () returned 0xbc0000 [0085.826] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.827] GetProcessHeap () returned 0xbc0000 [0085.827] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.827] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.827] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.888] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15ef3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.888] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.889] GetProcessHeap () returned 0xbc0000 [0085.889] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.889] GetProcessHeap () returned 0xbc0000 [0085.889] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.889] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.889] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.940] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x162c450, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.940] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.940] GetProcessHeap () returned 0xbc0000 [0085.940] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.940] GetProcessHeap () returned 0xbc0000 [0085.940] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.940] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.940] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.948] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16694e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.948] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.949] GetProcessHeap () returned 0xbc0000 [0085.949] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.950] GetProcessHeap () returned 0xbc0000 [0085.950] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.950] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.951] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0085.958] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16a6570, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.959] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0085.959] GetProcessHeap () returned 0xbc0000 [0085.959] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0085.959] GetProcessHeap () returned 0xbc0000 [0085.959] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0085.959] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0085.959] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.016] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16e3600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.016] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.017] GetProcessHeap () returned 0xbc0000 [0086.017] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.017] GetProcessHeap () returned 0xbc0000 [0086.017] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.017] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.017] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.076] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1720690, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.076] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.077] GetProcessHeap () returned 0xbc0000 [0086.077] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.078] GetProcessHeap () returned 0xbc0000 [0086.078] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.079] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.079] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.087] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x175d720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.087] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.087] GetProcessHeap () returned 0xbc0000 [0086.087] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.088] GetProcessHeap () returned 0xbc0000 [0086.088] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.088] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.088] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x179a7b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.094] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.095] GetProcessHeap () returned 0xbc0000 [0086.095] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.095] GetProcessHeap () returned 0xbc0000 [0086.095] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.095] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.095] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.102] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d7840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.102] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.103] GetProcessHeap () returned 0xbc0000 [0086.103] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.104] GetProcessHeap () returned 0xbc0000 [0086.104] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.105] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.105] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.236] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18148d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.236] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.237] GetProcessHeap () returned 0xbc0000 [0086.237] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.237] GetProcessHeap () returned 0xbc0000 [0086.237] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.237] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.237] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.242] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1851960, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.242] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.243] GetProcessHeap () returned 0xbc0000 [0086.243] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.243] GetProcessHeap () returned 0xbc0000 [0086.243] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.243] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.243] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.250] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x188e9f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.250] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.251] GetProcessHeap () returned 0xbc0000 [0086.251] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.252] GetProcessHeap () returned 0xbc0000 [0086.252] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.253] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.253] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.261] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18cba80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.261] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.261] GetProcessHeap () returned 0xbc0000 [0086.261] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.261] GetProcessHeap () returned 0xbc0000 [0086.262] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.262] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.262] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.389] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1908b10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.389] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.389] GetProcessHeap () returned 0xbc0000 [0086.389] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.389] GetProcessHeap () returned 0xbc0000 [0086.389] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.389] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.389] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.395] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1945ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.395] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.395] GetProcessHeap () returned 0xbc0000 [0086.395] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.396] GetProcessHeap () returned 0xbc0000 [0086.396] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.397] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.397] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.406] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1982c30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.406] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.406] GetProcessHeap () returned 0xbc0000 [0086.406] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.406] GetProcessHeap () returned 0xbc0000 [0086.406] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.407] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.407] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.418] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19bfcc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.418] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.418] GetProcessHeap () returned 0xbc0000 [0086.418] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.418] GetProcessHeap () returned 0xbc0000 [0086.418] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.418] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.419] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.591] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x19fcd50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.591] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.592] GetProcessHeap () returned 0xbc0000 [0086.592] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.593] GetProcessHeap () returned 0xbc0000 [0086.593] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.594] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.594] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.602] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a39de0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.603] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.603] GetProcessHeap () returned 0xbc0000 [0086.603] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.603] GetProcessHeap () returned 0xbc0000 [0086.603] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.603] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.603] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.610] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1a76e70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.610] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.610] GetProcessHeap () returned 0xbc0000 [0086.610] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.610] GetProcessHeap () returned 0xbc0000 [0086.610] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.610] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.610] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.619] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ab3f00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.619] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.619] GetProcessHeap () returned 0xbc0000 [0086.619] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.620] GetProcessHeap () returned 0xbc0000 [0086.620] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.621] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.621] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.743] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1af0f90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.743] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.744] GetProcessHeap () returned 0xbc0000 [0086.744] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.744] GetProcessHeap () returned 0xbc0000 [0086.744] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.744] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.744] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.750] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b2e020, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.750] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.750] GetProcessHeap () returned 0xbc0000 [0086.750] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.750] GetProcessHeap () returned 0xbc0000 [0086.751] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.751] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.751] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.816] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1b6b0b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.817] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.817] GetProcessHeap () returned 0xbc0000 [0086.817] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.822] GetProcessHeap () returned 0xbc0000 [0086.822] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.823] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.824] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.837] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ba8140, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.838] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.838] GetProcessHeap () returned 0xbc0000 [0086.838] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.838] GetProcessHeap () returned 0xbc0000 [0086.838] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.838] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.838] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.893] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1be51d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.893] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.895] GetProcessHeap () returned 0xbc0000 [0086.895] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.895] GetProcessHeap () returned 0xbc0000 [0086.895] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.895] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.895] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.901] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c22260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.901] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.901] GetProcessHeap () returned 0xbc0000 [0086.902] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.903] GetProcessHeap () returned 0xbc0000 [0086.903] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.903] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.903] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.911] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c5f2f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.912] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.912] GetProcessHeap () returned 0xbc0000 [0086.912] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.912] GetProcessHeap () returned 0xbc0000 [0086.912] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.912] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.912] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.919] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1c9c380, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.919] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.919] GetProcessHeap () returned 0xbc0000 [0086.919] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.919] GetProcessHeap () returned 0xbc0000 [0086.919] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.919] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.920] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0086.967] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1cd9410, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.967] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0086.967] GetProcessHeap () returned 0xbc0000 [0086.967] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0086.969] GetProcessHeap () returned 0xbc0000 [0086.969] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0086.969] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0086.969] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d164a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.029] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.029] GetProcessHeap () returned 0xbc0000 [0087.029] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.029] GetProcessHeap () returned 0xbc0000 [0087.029] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.030] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.036] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d53530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.036] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.037] GetProcessHeap () returned 0xbc0000 [0087.037] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.037] GetProcessHeap () returned 0xbc0000 [0087.037] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.037] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.037] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.092] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1d905c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.092] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.092] GetProcessHeap () returned 0xbc0000 [0087.092] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.093] GetProcessHeap () returned 0xbc0000 [0087.093] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.094] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.102] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1dcd650, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.102] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.103] GetProcessHeap () returned 0xbc0000 [0087.103] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.103] GetProcessHeap () returned 0xbc0000 [0087.103] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.103] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.103] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.172] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e0a6e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.172] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.172] GetProcessHeap () returned 0xbc0000 [0087.172] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.172] GetProcessHeap () returned 0xbc0000 [0087.172] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.172] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.172] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.179] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e47770, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.179] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.179] GetProcessHeap () returned 0xbc0000 [0087.179] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.181] GetProcessHeap () returned 0xbc0000 [0087.181] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.181] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.181] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1e84800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.269] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.269] GetProcessHeap () returned 0xbc0000 [0087.269] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.269] GetProcessHeap () returned 0xbc0000 [0087.269] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.269] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.276] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ec1890, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.276] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.277] GetProcessHeap () returned 0xbc0000 [0087.277] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.277] GetProcessHeap () returned 0xbc0000 [0087.277] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.277] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.277] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.341] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1efe920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.341] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.342] GetProcessHeap () returned 0xbc0000 [0087.342] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.343] GetProcessHeap () returned 0xbc0000 [0087.343] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.344] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.344] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.399] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f3b9b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.399] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.400] GetProcessHeap () returned 0xbc0000 [0087.400] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.400] GetProcessHeap () returned 0xbc0000 [0087.400] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.400] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.400] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.407] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1f78a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.407] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.407] GetProcessHeap () returned 0xbc0000 [0087.407] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.407] GetProcessHeap () returned 0xbc0000 [0087.407] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.407] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.407] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.415] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1fb5ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.415] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.415] GetProcessHeap () returned 0xbc0000 [0087.415] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.416] GetProcessHeap () returned 0xbc0000 [0087.416] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.417] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.417] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.487] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1ff2b60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.487] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.488] GetProcessHeap () returned 0xbc0000 [0087.488] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.488] GetProcessHeap () returned 0xbc0000 [0087.488] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.488] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.488] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.495] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x202fbf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.495] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.496] GetProcessHeap () returned 0xbc0000 [0087.496] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.496] GetProcessHeap () returned 0xbc0000 [0087.496] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.496] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.496] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.685] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x206cc80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.685] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.686] GetProcessHeap () returned 0xbc0000 [0087.686] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.687] GetProcessHeap () returned 0xbc0000 [0087.687] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.688] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.696] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20a9d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.696] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.696] GetProcessHeap () returned 0xbc0000 [0087.696] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.696] GetProcessHeap () returned 0xbc0000 [0087.696] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.696] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.696] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.771] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x20e6da0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.771] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.772] GetProcessHeap () returned 0xbc0000 [0087.772] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.772] GetProcessHeap () returned 0xbc0000 [0087.772] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.772] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.772] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.779] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2123e30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.779] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.779] GetProcessHeap () returned 0xbc0000 [0087.779] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.780] GetProcessHeap () returned 0xbc0000 [0087.781] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.781] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.781] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.848] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2160ec0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.848] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.848] GetProcessHeap () returned 0xbc0000 [0087.848] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.848] GetProcessHeap () returned 0xbc0000 [0087.848] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.848] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.848] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.855] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x219df50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.855] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.856] GetProcessHeap () returned 0xbc0000 [0087.856] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.856] GetProcessHeap () returned 0xbc0000 [0087.856] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.856] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.856] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.863] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x21dafe0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.863] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.863] GetProcessHeap () returned 0xbc0000 [0087.863] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.864] GetProcessHeap () returned 0xbc0000 [0087.864] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.865] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.865] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.920] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2218070, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.920] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.920] GetProcessHeap () returned 0xbc0000 [0087.920] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.920] GetProcessHeap () returned 0xbc0000 [0087.920] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.920] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.920] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.966] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2255100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.967] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.967] GetProcessHeap () returned 0xbc0000 [0087.967] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.967] GetProcessHeap () returned 0xbc0000 [0087.967] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.967] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.967] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.974] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2292190, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.974] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.974] GetProcessHeap () returned 0xbc0000 [0087.974] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.975] GetProcessHeap () returned 0xbc0000 [0087.975] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.976] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.976] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0087.984] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x22cf220, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.984] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0087.985] GetProcessHeap () returned 0xbc0000 [0087.985] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0087.985] GetProcessHeap () returned 0xbc0000 [0087.985] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0087.985] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0087.985] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x230c2b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.064] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.064] GetProcessHeap () returned 0xbc0000 [0088.064] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.064] GetProcessHeap () returned 0xbc0000 [0088.064] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.064] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.143] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2349340, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.143] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.144] GetProcessHeap () returned 0xbc0000 [0088.144] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.145] GetProcessHeap () returned 0xbc0000 [0088.145] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.146] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.146] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.155] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23863d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.155] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.155] GetProcessHeap () returned 0xbc0000 [0088.155] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.155] GetProcessHeap () returned 0xbc0000 [0088.155] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.155] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.155] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.162] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x23c3460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.162] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.163] GetProcessHeap () returned 0xbc0000 [0088.163] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.163] GetProcessHeap () returned 0xbc0000 [0088.163] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.163] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.163] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.217] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24004f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.217] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.217] GetProcessHeap () returned 0xbc0000 [0088.217] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.218] GetProcessHeap () returned 0xbc0000 [0088.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.219] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.219] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.278] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x243d580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.278] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.279] GetProcessHeap () returned 0xbc0000 [0088.279] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.279] GetProcessHeap () returned 0xbc0000 [0088.279] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.279] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.279] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.286] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x247a610, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.286] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.286] GetProcessHeap () returned 0xbc0000 [0088.286] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.286] GetProcessHeap () returned 0xbc0000 [0088.286] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.286] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.286] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.293] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24b76a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.293] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.293] GetProcessHeap () returned 0xbc0000 [0088.293] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.295] GetProcessHeap () returned 0xbc0000 [0088.295] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.295] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.295] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x24f4730, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.356] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.357] GetProcessHeap () returned 0xbc0000 [0088.357] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.357] GetProcessHeap () returned 0xbc0000 [0088.357] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.357] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.357] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.418] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25317c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.419] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.419] GetProcessHeap () returned 0xbc0000 [0088.419] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.419] GetProcessHeap () returned 0xbc0000 [0088.419] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.419] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.419] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.425] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x256e850, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.425] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.425] GetProcessHeap () returned 0xbc0000 [0088.425] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.426] GetProcessHeap () returned 0xbc0000 [0088.426] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.428] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.428] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.449] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25ab8e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.449] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.449] GetProcessHeap () returned 0xbc0000 [0088.449] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.449] GetProcessHeap () returned 0xbc0000 [0088.449] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.449] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.450] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.512] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x25e8970, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.512] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.513] GetProcessHeap () returned 0xbc0000 [0088.513] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.513] GetProcessHeap () returned 0xbc0000 [0088.513] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.513] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.513] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.606] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2625a00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.606] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.606] GetProcessHeap () returned 0xbc0000 [0088.606] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.607] GetProcessHeap () returned 0xbc0000 [0088.608] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.608] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.608] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.617] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2662a90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.618] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.619] GetProcessHeap () returned 0xbc0000 [0088.619] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.619] GetProcessHeap () returned 0xbc0000 [0088.619] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.619] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.619] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.627] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x269fb20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.627] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.627] GetProcessHeap () returned 0xbc0000 [0088.627] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.627] GetProcessHeap () returned 0xbc0000 [0088.627] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.627] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.628] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.637] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x26dcbb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.637] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.642] GetProcessHeap () returned 0xbc0000 [0088.642] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.644] GetProcessHeap () returned 0xbc0000 [0088.644] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.644] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.644] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.822] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2719c40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.822] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.823] GetProcessHeap () returned 0xbc0000 [0088.823] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.823] GetProcessHeap () returned 0xbc0000 [0088.823] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.823] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.823] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.830] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2756cd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.830] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.830] GetProcessHeap () returned 0xbc0000 [0088.830] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.830] GetProcessHeap () returned 0xbc0000 [0088.830] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.830] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.830] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.838] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2793d60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.838] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.839] GetProcessHeap () returned 0xbc0000 [0088.839] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.840] GetProcessHeap () returned 0xbc0000 [0088.840] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.841] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.841] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0088.898] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x27d0df0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.898] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0088.898] GetProcessHeap () returned 0xbc0000 [0088.898] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0088.898] GetProcessHeap () returned 0xbc0000 [0088.898] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0088.898] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0088.898] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.010] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x280de80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.010] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.011] GetProcessHeap () returned 0xbc0000 [0089.011] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.011] GetProcessHeap () returned 0xbc0000 [0089.011] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.011] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.011] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.018] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x284af10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.018] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.018] GetProcessHeap () returned 0xbc0000 [0089.018] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.019] GetProcessHeap () returned 0xbc0000 [0089.019] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.020] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.020] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.029] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2887fa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.029] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.030] GetProcessHeap () returned 0xbc0000 [0089.030] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.030] GetProcessHeap () returned 0xbc0000 [0089.030] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.030] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.030] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x28c5030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.072] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.073] GetProcessHeap () returned 0xbc0000 [0089.073] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.073] GetProcessHeap () returned 0xbc0000 [0089.073] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.073] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.073] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.123] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29020c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.123] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.123] GetProcessHeap () returned 0xbc0000 [0089.123] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.124] GetProcessHeap () returned 0xbc0000 [0089.124] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.125] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.125] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.133] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x293f150, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.133] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.134] GetProcessHeap () returned 0xbc0000 [0089.134] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.134] GetProcessHeap () returned 0xbc0000 [0089.134] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.134] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.134] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.141] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x297c1e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.141] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.141] GetProcessHeap () returned 0xbc0000 [0089.141] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.141] GetProcessHeap () returned 0xbc0000 [0089.141] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.141] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.141] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.155] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29b9270, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.156] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.156] GetProcessHeap () returned 0xbc0000 [0089.156] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.157] GetProcessHeap () returned 0xbc0000 [0089.157] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.158] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.158] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.171] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29f6300, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.171] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.172] GetProcessHeap () returned 0xbc0000 [0089.172] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.172] GetProcessHeap () returned 0xbc0000 [0089.172] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.172] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.172] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.230] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a33390, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.230] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.230] GetProcessHeap () returned 0xbc0000 [0089.230] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.230] GetProcessHeap () returned 0xbc0000 [0089.230] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.230] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.230] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.237] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2a70420, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.237] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.238] GetProcessHeap () returned 0xbc0000 [0089.238] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.286] GetProcessHeap () returned 0xbc0000 [0089.286] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.287] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.287] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.296] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aad4b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.296] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.296] GetProcessHeap () returned 0xbc0000 [0089.296] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.296] GetProcessHeap () returned 0xbc0000 [0089.296] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.296] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.296] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.355] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2aea540, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.355] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.356] GetProcessHeap () returned 0xbc0000 [0089.356] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.356] GetProcessHeap () returned 0xbc0000 [0089.356] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.356] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.363] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b275d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.363] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.364] GetProcessHeap () returned 0xbc0000 [0089.364] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.365] GetProcessHeap () returned 0xbc0000 [0089.365] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.366] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.366] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.421] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2b64660, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.421] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.421] GetProcessHeap () returned 0xbc0000 [0089.422] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.422] GetProcessHeap () returned 0xbc0000 [0089.422] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.422] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.422] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.429] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ba16f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.429] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.429] GetProcessHeap () returned 0xbc0000 [0089.429] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.429] GetProcessHeap () returned 0xbc0000 [0089.429] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.429] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.429] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.449] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2bde780, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.449] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.449] GetProcessHeap () returned 0xbc0000 [0089.449] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.450] GetProcessHeap () returned 0xbc0000 [0089.450] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.451] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.451] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.510] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c1b810, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.511] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.511] GetProcessHeap () returned 0xbc0000 [0089.511] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.511] GetProcessHeap () returned 0xbc0000 [0089.511] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.511] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.511] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.604] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c588a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.604] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.605] GetProcessHeap () returned 0xbc0000 [0089.605] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.605] GetProcessHeap () returned 0xbc0000 [0089.605] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.605] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.605] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.612] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2c95930, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.612] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.612] GetProcessHeap () returned 0xbc0000 [0089.612] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.613] GetProcessHeap () returned 0xbc0000 [0089.613] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.616] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.616] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.624] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2cd29c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.624] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.625] GetProcessHeap () returned 0xbc0000 [0089.625] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.625] GetProcessHeap () returned 0xbc0000 [0089.625] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.625] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.625] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.739] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d0fa50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.740] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.740] GetProcessHeap () returned 0xbc0000 [0089.740] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.740] GetProcessHeap () returned 0xbc0000 [0089.740] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.740] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.740] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.747] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d4cae0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.747] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.748] GetProcessHeap () returned 0xbc0000 [0089.748] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.749] GetProcessHeap () returned 0xbc0000 [0089.749] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.750] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.750] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.758] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2d89b70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.758] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.758] GetProcessHeap () returned 0xbc0000 [0089.759] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.759] GetProcessHeap () returned 0xbc0000 [0089.759] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.759] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.759] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.765] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2dc6c00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.765] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.766] GetProcessHeap () returned 0xbc0000 [0089.766] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.766] GetProcessHeap () returned 0xbc0000 [0089.766] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.766] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.766] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.854] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e03c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.855] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.855] GetProcessHeap () returned 0xbc0000 [0089.855] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.856] GetProcessHeap () returned 0xbc0000 [0089.856] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.857] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.857] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.936] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e40d20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.936] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.937] GetProcessHeap () returned 0xbc0000 [0089.937] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.937] GetProcessHeap () returned 0xbc0000 [0089.937] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.937] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.937] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.944] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7ddb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.944] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.944] GetProcessHeap () returned 0xbc0000 [0089.945] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.945] GetProcessHeap () returned 0xbc0000 [0089.945] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.945] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.945] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0089.951] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ebae40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.952] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0089.952] GetProcessHeap () returned 0xbc0000 [0089.952] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0089.953] GetProcessHeap () returned 0xbc0000 [0089.953] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0089.954] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0089.954] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.042] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ef7ed0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.042] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.043] GetProcessHeap () returned 0xbc0000 [0090.043] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.043] GetProcessHeap () returned 0xbc0000 [0090.043] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.043] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.163] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f34f60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.163] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.164] GetProcessHeap () returned 0xbc0000 [0090.164] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.164] GetProcessHeap () returned 0xbc0000 [0090.164] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.164] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.164] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.171] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2f71ff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.171] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.171] GetProcessHeap () returned 0xbc0000 [0090.171] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.172] GetProcessHeap () returned 0xbc0000 [0090.172] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.173] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.173] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.182] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2faf080, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.182] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.182] GetProcessHeap () returned 0xbc0000 [0090.182] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.182] GetProcessHeap () returned 0xbc0000 [0090.182] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.182] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.182] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.276] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2fec110, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.276] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.277] GetProcessHeap () returned 0xbc0000 [0090.277] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.277] GetProcessHeap () returned 0xbc0000 [0090.277] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.277] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.277] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.323] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30291a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.324] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.324] GetProcessHeap () returned 0xbc0000 [0090.324] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.325] GetProcessHeap () returned 0xbc0000 [0090.325] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.326] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.326] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.334] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3066230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.334] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.335] GetProcessHeap () returned 0xbc0000 [0090.335] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.335] GetProcessHeap () returned 0xbc0000 [0090.335] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.335] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.335] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.341] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30a32c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.341] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.341] GetProcessHeap () returned 0xbc0000 [0090.341] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.341] GetProcessHeap () returned 0xbc0000 [0090.341] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.341] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.341] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.348] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x30e0350, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.348] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.349] GetProcessHeap () returned 0xbc0000 [0090.349] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.350] GetProcessHeap () returned 0xbc0000 [0090.350] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.351] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.351] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.401] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x311d3e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.402] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.402] GetProcessHeap () returned 0xbc0000 [0090.402] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.402] GetProcessHeap () returned 0xbc0000 [0090.402] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.402] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.402] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x315a470, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.409] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.409] GetProcessHeap () returned 0xbc0000 [0090.409] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.409] GetProcessHeap () returned 0xbc0000 [0090.409] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.409] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.416] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3197500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.417] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.417] GetProcessHeap () returned 0xbc0000 [0090.417] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.418] GetProcessHeap () returned 0xbc0000 [0090.418] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.419] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.419] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.427] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x31d4590, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.428] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.428] GetProcessHeap () returned 0xbc0000 [0090.428] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.428] GetProcessHeap () returned 0xbc0000 [0090.428] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.428] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.428] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.496] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3211620, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.496] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.496] GetProcessHeap () returned 0xbc0000 [0090.496] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.496] GetProcessHeap () returned 0xbc0000 [0090.496] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.496] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.496] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.503] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x324e6b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.503] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.504] GetProcessHeap () returned 0xbc0000 [0090.504] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.505] GetProcessHeap () returned 0xbc0000 [0090.505] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.506] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.506] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.514] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x328b740, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.515] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.515] GetProcessHeap () returned 0xbc0000 [0090.515] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.515] GetProcessHeap () returned 0xbc0000 [0090.515] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.515] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.515] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.572] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x32c87d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.572] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.572] GetProcessHeap () returned 0xbc0000 [0090.572] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.572] GetProcessHeap () returned 0xbc0000 [0090.572] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.572] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.573] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.621] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3305860, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.621] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.621] GetProcessHeap () returned 0xbc0000 [0090.621] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.623] GetProcessHeap () returned 0xbc0000 [0090.623] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.623] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.623] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.633] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33428f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.633] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.634] GetProcessHeap () returned 0xbc0000 [0090.634] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.634] GetProcessHeap () returned 0xbc0000 [0090.634] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.634] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.634] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.642] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x337f980, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.642] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.642] GetProcessHeap () returned 0xbc0000 [0090.642] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.642] GetProcessHeap () returned 0xbc0000 [0090.642] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.642] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.642] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.650] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33bca10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.650] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.650] GetProcessHeap () returned 0xbc0000 [0090.650] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.651] GetProcessHeap () returned 0xbc0000 [0090.651] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.652] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.652] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.715] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x33f9aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.715] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.716] GetProcessHeap () returned 0xbc0000 [0090.716] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.716] GetProcessHeap () returned 0xbc0000 [0090.716] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.716] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.717] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.724] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3436b30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.724] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.724] GetProcessHeap () returned 0xbc0000 [0090.724] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.724] GetProcessHeap () returned 0xbc0000 [0090.724] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.724] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.724] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.731] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3473bc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.731] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.732] GetProcessHeap () returned 0xbc0000 [0090.732] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.733] GetProcessHeap () returned 0xbc0000 [0090.733] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.733] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.733] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.741] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34b0c50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.741] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.742] GetProcessHeap () returned 0xbc0000 [0090.742] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.742] GetProcessHeap () returned 0xbc0000 [0090.742] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.742] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.742] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.798] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x34edce0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.798] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.799] GetProcessHeap () returned 0xbc0000 [0090.800] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.800] GetProcessHeap () returned 0xbc0000 [0090.800] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.800] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.800] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.807] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x352ad70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.807] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.807] GetProcessHeap () returned 0xbc0000 [0090.807] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.808] GetProcessHeap () returned 0xbc0000 [0090.808] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.809] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.809] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.817] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3567e00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.817] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.818] GetProcessHeap () returned 0xbc0000 [0090.818] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.818] GetProcessHeap () returned 0xbc0000 [0090.818] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.818] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.818] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.828] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35a4e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.828] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.828] GetProcessHeap () returned 0xbc0000 [0090.828] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.828] GetProcessHeap () returned 0xbc0000 [0090.828] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.828] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.828] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.872] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x35e1f20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.872] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.874] GetProcessHeap () returned 0xbc0000 [0090.874] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.875] GetProcessHeap () returned 0xbc0000 [0090.875] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.875] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.875] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x361efb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.884] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.884] GetProcessHeap () returned 0xbc0000 [0090.884] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.884] GetProcessHeap () returned 0xbc0000 [0090.884] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.884] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.893] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x365c040, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.893] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.893] GetProcessHeap () returned 0xbc0000 [0090.893] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.893] GetProcessHeap () returned 0xbc0000 [0090.893] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.893] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.893] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.900] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36990d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.900] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.900] GetProcessHeap () returned 0xbc0000 [0090.900] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.901] GetProcessHeap () returned 0xbc0000 [0090.901] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.902] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.902] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.918] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x36d6160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.918] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.918] GetProcessHeap () returned 0xbc0000 [0090.918] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.918] GetProcessHeap () returned 0xbc0000 [0090.918] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.918] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.918] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.948] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37131f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.948] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.948] GetProcessHeap () returned 0xbc0000 [0090.948] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.948] GetProcessHeap () returned 0xbc0000 [0090.948] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.948] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.948] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0090.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3750280, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.956] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0090.957] GetProcessHeap () returned 0xbc0000 [0090.957] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0090.958] GetProcessHeap () returned 0xbc0000 [0090.958] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0090.959] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0090.959] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.011] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x378d310, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.012] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.012] GetProcessHeap () returned 0xbc0000 [0091.012] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.012] GetProcessHeap () returned 0xbc0000 [0091.012] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.012] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.012] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.104] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x37ca3a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.104] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.104] GetProcessHeap () returned 0xbc0000 [0091.104] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.104] GetProcessHeap () returned 0xbc0000 [0091.104] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.104] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.104] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.151] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3807430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.151] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.152] GetProcessHeap () returned 0xbc0000 [0091.152] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.153] GetProcessHeap () returned 0xbc0000 [0091.153] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.154] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.154] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.162] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38444c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.162] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.163] GetProcessHeap () returned 0xbc0000 [0091.163] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.163] GetProcessHeap () returned 0xbc0000 [0091.163] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.163] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.163] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.170] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3881550, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.170] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.170] GetProcessHeap () returned 0xbc0000 [0091.170] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.170] GetProcessHeap () returned 0xbc0000 [0091.170] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.170] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.170] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.217] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38be5e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.217] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.217] GetProcessHeap () returned 0xbc0000 [0091.217] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.218] GetProcessHeap () returned 0xbc0000 [0091.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.219] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.219] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.277] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x38fb670, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.277] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.278] GetProcessHeap () returned 0xbc0000 [0091.278] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.278] GetProcessHeap () returned 0xbc0000 [0091.278] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.278] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.278] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.285] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3938700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.285] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.285] GetProcessHeap () returned 0xbc0000 [0091.285] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.285] GetProcessHeap () returned 0xbc0000 [0091.285] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.285] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.285] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.292] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3975790, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.292] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.293] GetProcessHeap () returned 0xbc0000 [0091.293] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.294] GetProcessHeap () returned 0xbc0000 [0091.294] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.294] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.295] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.431] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39b2820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.432] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.432] GetProcessHeap () returned 0xbc0000 [0091.432] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.432] GetProcessHeap () returned 0xbc0000 [0091.432] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.432] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.432] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.494] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x39ef8b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.494] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.495] GetProcessHeap () returned 0xbc0000 [0091.495] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.495] GetProcessHeap () returned 0xbc0000 [0091.495] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.495] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.495] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.502] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a2c940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.502] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.503] GetProcessHeap () returned 0xbc0000 [0091.503] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.504] GetProcessHeap () returned 0xbc0000 [0091.504] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.505] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.505] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.514] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3a699d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.514] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.514] GetProcessHeap () returned 0xbc0000 [0091.514] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.514] GetProcessHeap () returned 0xbc0000 [0091.514] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.514] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.514] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.605] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3aa6a60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.605] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.605] GetProcessHeap () returned 0xbc0000 [0091.605] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.605] GetProcessHeap () returned 0xbc0000 [0091.605] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.605] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.605] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.678] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ae3af0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.678] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.679] GetProcessHeap () returned 0xbc0000 [0091.679] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.680] GetProcessHeap () returned 0xbc0000 [0091.680] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.681] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.681] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b20b80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.688] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.688] GetProcessHeap () returned 0xbc0000 [0091.688] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.688] GetProcessHeap () returned 0xbc0000 [0091.688] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.688] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.688] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.741] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b5dc10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.741] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.741] GetProcessHeap () returned 0xbc0000 [0091.741] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.741] GetProcessHeap () returned 0xbc0000 [0091.741] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.741] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.742] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.748] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3b9aca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.748] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.749] GetProcessHeap () returned 0xbc0000 [0091.749] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.750] GetProcessHeap () returned 0xbc0000 [0091.750] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.750] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.750] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.760] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3bd7d30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.760] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.760] GetProcessHeap () returned 0xbc0000 [0091.760] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.760] GetProcessHeap () returned 0xbc0000 [0091.760] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.760] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.760] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.842] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c14dc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.842] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.843] GetProcessHeap () returned 0xbc0000 [0091.843] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.843] GetProcessHeap () returned 0xbc0000 [0091.843] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.843] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.843] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.904] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c51e50, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.904] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.904] GetProcessHeap () returned 0xbc0000 [0091.904] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.905] GetProcessHeap () returned 0xbc0000 [0091.906] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.906] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.906] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.915] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3c8eee0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.915] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.915] GetProcessHeap () returned 0xbc0000 [0091.915] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.916] GetProcessHeap () returned 0xbc0000 [0091.916] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.916] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.922] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ccbf70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.922] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.923] GetProcessHeap () returned 0xbc0000 [0091.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.923] GetProcessHeap () returned 0xbc0000 [0091.923] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0091.923] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.923] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0091.997] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d09000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0091.997] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0091.998] GetProcessHeap () returned 0xbc0000 [0091.998] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0091.999] GetProcessHeap () returned 0xbc0000 [0091.999] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.000] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.000] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.054] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d46090, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.054] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.054] GetProcessHeap () returned 0xbc0000 [0092.054] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.054] GetProcessHeap () returned 0xbc0000 [0092.054] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.055] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.055] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3d83120, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.064] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.064] GetProcessHeap () returned 0xbc0000 [0092.064] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.064] GetProcessHeap () returned 0xbc0000 [0092.064] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.064] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.064] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dc01b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.072] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.072] GetProcessHeap () returned 0xbc0000 [0092.072] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.073] GetProcessHeap () returned 0xbc0000 [0092.073] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.074] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.074] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.127] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3dfd240, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.127] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.128] GetProcessHeap () returned 0xbc0000 [0092.128] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.128] GetProcessHeap () returned 0xbc0000 [0092.128] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.128] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.128] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.196] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e3a2d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.196] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.197] GetProcessHeap () returned 0xbc0000 [0092.197] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.197] GetProcessHeap () returned 0xbc0000 [0092.197] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.197] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.197] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.204] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3e77360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.204] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.204] GetProcessHeap () returned 0xbc0000 [0092.204] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.205] GetProcessHeap () returned 0xbc0000 [0092.205] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.206] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.206] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.214] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3eb43f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.215] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.215] GetProcessHeap () returned 0xbc0000 [0092.215] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.215] GetProcessHeap () returned 0xbc0000 [0092.215] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.215] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.215] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.290] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3ef1480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.290] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.291] GetProcessHeap () returned 0xbc0000 [0092.291] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.291] GetProcessHeap () returned 0xbc0000 [0092.291] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.291] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.291] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.343] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f2e510, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.344] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.344] GetProcessHeap () returned 0xbc0000 [0092.344] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.345] GetProcessHeap () returned 0xbc0000 [0092.345] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.346] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.346] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3f6b5a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.356] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.356] GetProcessHeap () returned 0xbc0000 [0092.356] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.356] GetProcessHeap () returned 0xbc0000 [0092.356] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.356] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.364] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fa8630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.364] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.364] GetProcessHeap () returned 0xbc0000 [0092.364] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.364] GetProcessHeap () returned 0xbc0000 [0092.364] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.364] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.365] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.480] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x3fe56c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.481] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.482] GetProcessHeap () returned 0xbc0000 [0092.482] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.483] GetProcessHeap () returned 0xbc0000 [0092.483] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.484] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.484] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.669] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4022750, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.669] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.670] GetProcessHeap () returned 0xbc0000 [0092.670] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.670] GetProcessHeap () returned 0xbc0000 [0092.670] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.670] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.670] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.677] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x405f7e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.677] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.678] GetProcessHeap () returned 0xbc0000 [0092.678] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.678] GetProcessHeap () returned 0xbc0000 [0092.678] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.678] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.678] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.685] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x409c870, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.685] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.685] GetProcessHeap () returned 0xbc0000 [0092.685] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.686] GetProcessHeap () returned 0xbc0000 [0092.686] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.687] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.687] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.728] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x40d9900, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.728] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.729] GetProcessHeap () returned 0xbc0000 [0092.729] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.729] GetProcessHeap () returned 0xbc0000 [0092.729] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.729] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.729] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.786] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4116990, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.787] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.787] GetProcessHeap () returned 0xbc0000 [0092.787] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.787] GetProcessHeap () returned 0xbc0000 [0092.787] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.787] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.787] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.794] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4153a20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.794] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.794] GetProcessHeap () returned 0xbc0000 [0092.794] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.795] GetProcessHeap () returned 0xbc0000 [0092.796] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.796] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.796] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.805] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4190ab0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.805] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.805] GetProcessHeap () returned 0xbc0000 [0092.805] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.805] GetProcessHeap () returned 0xbc0000 [0092.805] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.806] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.806] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.813] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41cdb40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.813] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.813] GetProcessHeap () returned 0xbc0000 [0092.813] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.813] GetProcessHeap () returned 0xbc0000 [0092.813] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.813] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.813] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.887] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x420abd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.888] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.888] GetProcessHeap () returned 0xbc0000 [0092.888] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.889] GetProcessHeap () returned 0xbc0000 [0092.889] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.890] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.890] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.899] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4247c60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.899] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.900] GetProcessHeap () returned 0xbc0000 [0092.900] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.900] GetProcessHeap () returned 0xbc0000 [0092.900] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.900] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.900] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.908] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4284cf0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.908] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.908] GetProcessHeap () returned 0xbc0000 [0092.908] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.908] GetProcessHeap () returned 0xbc0000 [0092.908] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.908] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.909] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42c1d80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.916] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.916] GetProcessHeap () returned 0xbc0000 [0092.916] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.917] GetProcessHeap () returned 0xbc0000 [0092.917] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.918] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.918] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.980] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x42fee10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.980] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.981] GetProcessHeap () returned 0xbc0000 [0092.981] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.981] GetProcessHeap () returned 0xbc0000 [0092.981] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.981] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.981] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.988] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x433bea0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.988] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.988] GetProcessHeap () returned 0xbc0000 [0092.988] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.988] GetProcessHeap () returned 0xbc0000 [0092.988] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.988] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.988] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0092.995] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4378f30, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.995] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0092.996] GetProcessHeap () returned 0xbc0000 [0092.996] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0092.997] GetProcessHeap () returned 0xbc0000 [0092.997] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0092.998] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0092.998] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.060] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43b5fc0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.060] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.060] GetProcessHeap () returned 0xbc0000 [0093.060] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.060] GetProcessHeap () returned 0xbc0000 [0093.060] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.061] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.061] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.125] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x43f3050, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.125] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.126] GetProcessHeap () returned 0xbc0000 [0093.126] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.126] GetProcessHeap () returned 0xbc0000 [0093.126] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.126] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.126] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.134] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44300e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.134] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.134] GetProcessHeap () returned 0xbc0000 [0093.134] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.135] GetProcessHeap () returned 0xbc0000 [0093.135] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.136] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.136] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.144] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x446d170, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.144] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.145] GetProcessHeap () returned 0xbc0000 [0093.145] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.145] GetProcessHeap () returned 0xbc0000 [0093.145] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.145] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.145] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.199] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44aa200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.199] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.200] GetProcessHeap () returned 0xbc0000 [0093.200] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.200] GetProcessHeap () returned 0xbc0000 [0093.200] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.200] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.200] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.325] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x44e7290, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.325] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.326] GetProcessHeap () returned 0xbc0000 [0093.326] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.327] GetProcessHeap () returned 0xbc0000 [0093.327] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.328] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.328] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.335] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4524320, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.335] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.336] GetProcessHeap () returned 0xbc0000 [0093.336] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.336] GetProcessHeap () returned 0xbc0000 [0093.336] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.336] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.336] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.343] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45613b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.343] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.343] GetProcessHeap () returned 0xbc0000 [0093.343] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.343] GetProcessHeap () returned 0xbc0000 [0093.343] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.343] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.343] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.398] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x459e440, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.398] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.399] GetProcessHeap () returned 0xbc0000 [0093.399] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.400] GetProcessHeap () returned 0xbc0000 [0093.400] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.401] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.401] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x45db4d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.409] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.409] GetProcessHeap () returned 0xbc0000 [0093.409] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.409] GetProcessHeap () returned 0xbc0000 [0093.409] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.409] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.409] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.519] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4618560, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.519] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.520] GetProcessHeap () returned 0xbc0000 [0093.520] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.520] GetProcessHeap () returned 0xbc0000 [0093.520] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.520] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.520] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.527] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46555f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.527] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.784] GetProcessHeap () returned 0xbc0000 [0093.784] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.785] GetProcessHeap () returned 0xbc0000 [0093.785] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.786] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.786] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.800] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4692680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.800] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.800] GetProcessHeap () returned 0xbc0000 [0093.800] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.800] GetProcessHeap () returned 0xbc0000 [0093.800] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.800] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.800] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.829] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x46cf710, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.829] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.829] GetProcessHeap () returned 0xbc0000 [0093.829] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.829] GetProcessHeap () returned 0xbc0000 [0093.829] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.829] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.829] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.912] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x470c7a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.912] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.913] GetProcessHeap () returned 0xbc0000 [0093.913] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.914] GetProcessHeap () returned 0xbc0000 [0093.914] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.915] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.915] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.976] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4749830, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.976] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.977] GetProcessHeap () returned 0xbc0000 [0093.977] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.977] GetProcessHeap () returned 0xbc0000 [0093.977] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.977] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.977] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.986] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47868c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.986] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.987] GetProcessHeap () returned 0xbc0000 [0093.987] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.987] GetProcessHeap () returned 0xbc0000 [0093.987] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.987] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.987] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0093.995] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x47c3950, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.995] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0093.996] GetProcessHeap () returned 0xbc0000 [0093.996] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0093.997] GetProcessHeap () returned 0xbc0000 [0093.997] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0093.998] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0093.998] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.051] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48009e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.051] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.051] GetProcessHeap () returned 0xbc0000 [0094.051] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.051] GetProcessHeap () returned 0xbc0000 [0094.051] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.051] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.051] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.093] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x483da70, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.093] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.094] GetProcessHeap () returned 0xbc0000 [0094.094] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.094] GetProcessHeap () returned 0xbc0000 [0094.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.094] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.101] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x487ab00, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.101] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.101] GetProcessHeap () returned 0xbc0000 [0094.102] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.103] GetProcessHeap () returned 0xbc0000 [0094.103] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.103] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.103] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.112] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48b7b90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.112] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.112] GetProcessHeap () returned 0xbc0000 [0094.112] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.112] GetProcessHeap () returned 0xbc0000 [0094.112] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.112] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.112] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.257] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x48f4c20, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.257] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.258] GetProcessHeap () returned 0xbc0000 [0094.258] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.258] GetProcessHeap () returned 0xbc0000 [0094.258] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.258] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.258] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.265] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4931cb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.265] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.266] GetProcessHeap () returned 0xbc0000 [0094.266] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.267] GetProcessHeap () returned 0xbc0000 [0094.267] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.267] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.275] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x496ed40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.275] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.276] GetProcessHeap () returned 0xbc0000 [0094.276] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.276] GetProcessHeap () returned 0xbc0000 [0094.276] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.276] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.276] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.284] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49abdd0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.284] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.284] GetProcessHeap () returned 0xbc0000 [0094.284] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.284] GetProcessHeap () returned 0xbc0000 [0094.284] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.284] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.284] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.350] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x49e8e60, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.351] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.352] GetProcessHeap () returned 0xbc0000 [0094.352] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.353] GetProcessHeap () returned 0xbc0000 [0094.353] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.353] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.353] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.405] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a25ef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.405] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.406] GetProcessHeap () returned 0xbc0000 [0094.406] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.406] GetProcessHeap () returned 0xbc0000 [0094.406] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.406] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.406] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.412] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4a62f80, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.412] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.412] GetProcessHeap () returned 0xbc0000 [0094.412] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.412] GetProcessHeap () returned 0xbc0000 [0094.412] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.412] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.413] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.419] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4aa0010, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.419] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.420] GetProcessHeap () returned 0xbc0000 [0094.420] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.421] GetProcessHeap () returned 0xbc0000 [0094.421] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.422] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.422] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.430] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4add0a0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.430] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.430] GetProcessHeap () returned 0xbc0000 [0094.430] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.430] GetProcessHeap () returned 0xbc0000 [0094.430] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.430] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.430] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.510] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b1a130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.510] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.510] GetProcessHeap () returned 0xbc0000 [0094.510] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.510] GetProcessHeap () returned 0xbc0000 [0094.510] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.510] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.510] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.517] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b571c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.517] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.518] GetProcessHeap () returned 0xbc0000 [0094.518] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.519] GetProcessHeap () returned 0xbc0000 [0094.519] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.520] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.520] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.528] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4b94250, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.528] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.529] GetProcessHeap () returned 0xbc0000 [0094.529] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.529] GetProcessHeap () returned 0xbc0000 [0094.529] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.529] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.529] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.536] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4bd12e0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.536] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.536] GetProcessHeap () returned 0xbc0000 [0094.536] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.536] GetProcessHeap () returned 0xbc0000 [0094.536] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.536] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.536] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.678] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c0e370, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.678] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.678] GetProcessHeap () returned 0xbc0000 [0094.678] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.679] GetProcessHeap () returned 0xbc0000 [0094.679] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.680] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.680] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.690] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c4b400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.690] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.690] GetProcessHeap () returned 0xbc0000 [0094.690] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.690] GetProcessHeap () returned 0xbc0000 [0094.690] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.690] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.690] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.697] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4c88490, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.697] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.700] GetProcessHeap () returned 0xbc0000 [0094.700] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.700] GetProcessHeap () returned 0xbc0000 [0094.700] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.700] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.700] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.707] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4cc5520, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.707] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.707] GetProcessHeap () returned 0xbc0000 [0094.707] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.708] GetProcessHeap () returned 0xbc0000 [0094.708] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.709] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.709] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.767] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d025b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.767] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.768] GetProcessHeap () returned 0xbc0000 [0094.768] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.768] GetProcessHeap () returned 0xbc0000 [0094.768] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.768] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.768] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.775] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d3f640, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.775] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.775] GetProcessHeap () returned 0xbc0000 [0094.775] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.775] GetProcessHeap () returned 0xbc0000 [0094.775] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.775] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.775] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.782] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4d7c6d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.782] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.783] GetProcessHeap () returned 0xbc0000 [0094.783] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.784] GetProcessHeap () returned 0xbc0000 [0094.784] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.784] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.785] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.840] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4db9760, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.840] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.840] GetProcessHeap () returned 0xbc0000 [0094.840] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.840] GetProcessHeap () returned 0xbc0000 [0094.840] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.841] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.841] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.861] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4df67f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.861] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.862] GetProcessHeap () returned 0xbc0000 [0094.862] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.862] GetProcessHeap () returned 0xbc0000 [0094.862] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.862] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.862] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0094.868] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e33880, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.868] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0094.869] GetProcessHeap () returned 0xbc0000 [0094.869] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0094.870] GetProcessHeap () returned 0xbc0000 [0094.870] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1e848) returned 0xbf2638 [0094.871] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0094.871] ReadFile (in: hFile=0x274, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1e848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be4dc*=0x1e848, lpOverlapped=0x0) returned 1 [0095.020] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x4e70910, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0095.020] WriteFile (in: hFile=0x274, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1e848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be4d0*=0x1e848, lpOverlapped=0x0) returned 1 [0095.020] GetProcessHeap () returned 0xbc0000 [0095.020] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0095.021] CloseHandle (hObject=0x274) returned 1 [0096.038] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0096.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0096.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e5f8 [0096.039] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8"), lpNewFileName="C:\\Users\\All Users\\Oracle\\Java\\installcache_x64\\baseimagefam8.NEFILIM" (normalized: "c:\\users\\all users\\oracle\\java\\installcache_x64\\baseimagefam8.nefilim")) returned 1 [0096.040] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5f8 | out: hHeap=0x2680000) returned 1 [0096.040] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0096.040] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa33265df, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xa33265df, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa315c98a, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4eba475, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="baseimagefam8", cAlternateFileName="BASEIM~1")) returned 0 [0096.040] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.041] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4e8 | out: hHeap=0x2680000) returned 1 [0096.041] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.041] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.042] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath", cAlternateFileName="")) returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2=".") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="..") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="...") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="windows") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="$RECYCLE.BIN") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="rsa") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="NTDETECT.COM") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="ntldr") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="MSDOS.SYS") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="IO.SYS") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="boot.ini") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="AUTOEXEC.BAT") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="ntuser.dat") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="desktop.ini") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="CONFIG.SYS") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="RECYCLER") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="BOOTSECT.BAK") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="bootmgr") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="programdata") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="appdata") returned 1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="program files") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="program files (x86)") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="microsoft") returned -1 [0096.042] lstrcmpiW (lpString1="javapath", lpString2="sophos") returned -1 [0096.042] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be68 [0096.042] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x268e3f8 [0096.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0096.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0096.043] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be68 [0096.043] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0096.043] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0096.043] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\javapath\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.043] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.043] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.044] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="java.exe", cAlternateFileName="")) returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2=".") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="..") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="...") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="windows") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="rsa") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="NTDETECT.COM") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="ntldr") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="MSDOS.SYS") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="IO.SYS") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="boot.ini") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="ntuser.dat") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="desktop.ini") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="CONFIG.SYS") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="RECYCLER") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="bootmgr") returned 1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="programdata") returned -1 [0096.044] lstrcmpiW (lpString1="java.exe", lpString2="appdata") returned 1 [0096.045] lstrcmpiW (lpString1="java.exe", lpString2="program files") returned -1 [0096.045] lstrcmpiW (lpString1="java.exe", lpString2="program files (x86)") returned -1 [0096.045] lstrcmpiW (lpString1="java.exe", lpString2="microsoft") returned -1 [0096.045] lstrcmpiW (lpString1="java.exe", lpString2="sophos") returned -1 [0096.045] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e478 [0096.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0096.045] PathFindExtensionW (pszPath="java.exe") returned=".exe" [0096.045] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.045] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2=".") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="..") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="...") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="windows") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="rsa") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="NTDETECT.COM") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="ntldr") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="MSDOS.SYS") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="IO.SYS") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="boot.ini") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="ntuser.dat") returned -1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="desktop.ini") returned 1 [0096.045] lstrcmpiW (lpString1="javaw.exe", lpString2="CONFIG.SYS") returned 1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="RECYCLER") returned -1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="bootmgr") returned 1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="programdata") returned -1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="appdata") returned 1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="program files") returned -1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="program files (x86)") returned -1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="microsoft") returned -1 [0096.046] lstrcmpiW (lpString1="javaw.exe", lpString2="sophos") returned -1 [0096.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0096.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e478 | out: hHeap=0x2680000) returned 1 [0096.046] PathFindExtensionW (pszPath="javaw.exe") returned=".exe" [0096.046] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.046] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2=".") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="..") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="...") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="windows") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="rsa") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="NTDETECT.COM") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="ntldr") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="MSDOS.SYS") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="IO.SYS") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="boot.ini") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="ntuser.dat") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="desktop.ini") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="CONFIG.SYS") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="RECYCLER") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="bootmgr") returned 1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="programdata") returned -1 [0096.046] lstrcmpiW (lpString1="javaws.exe", lpString2="appdata") returned 1 [0096.047] lstrcmpiW (lpString1="javaws.exe", lpString2="program files") returned -1 [0096.047] lstrcmpiW (lpString1="javaws.exe", lpString2="program files (x86)") returned -1 [0096.047] lstrcmpiW (lpString1="javaws.exe", lpString2="microsoft") returned -1 [0096.047] lstrcmpiW (lpString1="javaws.exe", lpString2="sophos") returned -1 [0096.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e478 [0096.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0096.047] PathFindExtensionW (pszPath="javaws.exe") returned=".exe" [0096.047] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.047] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaws.exe", cAlternateFileName="")) returned 0 [0096.047] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e478 | out: hHeap=0x2680000) returned 1 [0096.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be68 | out: hHeap=0x2680000) returned 1 [0096.047] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2=".") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="..") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="...") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="windows") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="$RECYCLE.BIN") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="rsa") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="NTDETECT.COM") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="ntldr") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="MSDOS.SYS") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="IO.SYS") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="boot.ini") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="AUTOEXEC.BAT") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="ntuser.dat") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="desktop.ini") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="CONFIG.SYS") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="RECYCLER") returned -1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="BOOTSECT.BAK") returned 1 [0096.047] lstrcmpiW (lpString1="javapath_target_474984", lpString2="bootmgr") returned 1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="programdata") returned -1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="appdata") returned 1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="program files") returned -1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="program files (x86)") returned -1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="microsoft") returned -1 [0096.048] lstrcmpiW (lpString1="javapath_target_474984", lpString2="sophos") returned -1 [0096.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0096.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0096.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e3d8 [0096.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e450 [0096.048] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Oracle\\Java\\javapath_target_474984\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0096.048] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.048] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.048] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.048] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.048] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa7453105, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="java.exe", cAlternateFileName="")) returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2=".") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="..") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="...") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="windows") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="rsa") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="NTDETECT.COM") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="ntldr") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="MSDOS.SYS") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="IO.SYS") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="boot.ini") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="ntuser.dat") returned -1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="desktop.ini") returned 1 [0096.048] lstrcmpiW (lpString1="java.exe", lpString2="CONFIG.SYS") returned 1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="RECYCLER") returned -1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="bootmgr") returned 1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="programdata") returned -1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="appdata") returned 1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="program files") returned -1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="program files (x86)") returned -1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="microsoft") returned -1 [0096.049] lstrcmpiW (lpString1="java.exe", lpString2="sophos") returned -1 [0096.049] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e4d8 [0096.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e450 | out: hHeap=0x2680000) returned 1 [0096.049] PathFindExtensionW (pszPath="java.exe") returned=".exe" [0096.049] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.049] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x32840, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaw.exe", cAlternateFileName="")) returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2=".") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="..") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="...") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="windows") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="rsa") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="NTDETECT.COM") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="ntldr") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="MSDOS.SYS") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="IO.SYS") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="boot.ini") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="ntuser.dat") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="desktop.ini") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="CONFIG.SYS") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="RECYCLER") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="bootmgr") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="programdata") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="appdata") returned 1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="program files") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="program files (x86)") returned -1 [0096.049] lstrcmpiW (lpString1="javaw.exe", lpString2="microsoft") returned -1 [0096.050] lstrcmpiW (lpString1="javaw.exe", lpString2="sophos") returned -1 [0096.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e450 [0096.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4d8 | out: hHeap=0x2680000) returned 1 [0096.050] PathFindExtensionW (pszPath="javaw.exe") returned=".exe" [0096.050] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.050] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaws.exe", cAlternateFileName="")) returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2=".") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="..") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="...") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="windows") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="rsa") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="NTDETECT.COM") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="ntldr") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="MSDOS.SYS") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="IO.SYS") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="boot.ini") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="ntuser.dat") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="desktop.ini") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="CONFIG.SYS") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="RECYCLER") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="bootmgr") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="programdata") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="appdata") returned 1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="program files") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="program files (x86)") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="microsoft") returned -1 [0096.050] lstrcmpiW (lpString1="javaws.exe", lpString2="sophos") returned -1 [0096.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e4d8 [0096.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e450 | out: hHeap=0x2680000) returned 1 [0096.050] PathFindExtensionW (pszPath="javaws.exe") returned=".exe" [0096.050] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.050] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xa747934d, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x4e040, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="javaws.exe", cAlternateFileName="")) returned 0 [0096.050] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4d8 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3d8 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0096.051] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="javapath_target_474984", cAlternateFileName="JAVAPA~1")) returned 0 [0096.051] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be20 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.051] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa2d56a03, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xad14ee36, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xad14ee36, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Java", cAlternateFileName="")) returned 0 [0096.051] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdd8 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0096.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0096.051] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Package Cache", cAlternateFileName="PACKAG~1")) returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2=".") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="..") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="...") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="windows") returned -1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="$RECYCLE.BIN") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="rsa") returned -1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="NTDETECT.COM") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="ntldr") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="MSDOS.SYS") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="IO.SYS") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="boot.ini") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="AUTOEXEC.BAT") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="ntuser.dat") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="desktop.ini") returned 1 [0096.051] lstrcmpiW (lpString1="Package Cache", lpString2="CONFIG.SYS") returned 1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="RECYCLER") returned -1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="BOOTSECT.BAK") returned 1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="bootmgr") returned 1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="programdata") returned -1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="appdata") returned 1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="program files") returned -1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="program files (x86)") returned -1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="microsoft") returned 1 [0096.052] lstrcmpiW (lpString1="Package Cache", lpString2="sophos") returned -1 [0096.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0096.052] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0096.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bde8 [0096.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be40 [0096.052] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0096.053] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.053] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdefc9a0c, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdefc9a0c, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.053] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.053] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.053] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", cAlternateFileName="{13A4E~1.210")) returned 1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2=".") returned 1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="..") returned 1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="...") returned 1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="windows") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="rsa") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntldr") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="IO.SYS") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="boot.ini") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="ntuser.dat") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="desktop.ini") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="RECYCLER") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0096.053] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="bootmgr") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="programdata") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="appdata") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="program files (x86)") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="microsoft") returned -1 [0096.054] lstrcmpiW (lpString1="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005", lpString2="sophos") returned -1 [0096.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.054] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0096.055] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.055] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd26065d8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e0f451, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.055] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.055] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.055] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.055] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.056] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.056] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0096.056] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.056] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.056] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.056] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.056] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.056] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0096.056] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0096.057] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0096.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.057] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}v12.0.21005\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.057] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.057] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.058] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0xf36be, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.058] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.058] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.058] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.058] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.059] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.059] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0096.059] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0096.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebd0 [0096.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.059] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.059] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.060] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.060] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eefa500, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5eefa500, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5eefa500, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.060] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.060] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e73631, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2652a95, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.060] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.060] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd262c839, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e72597, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd262c839, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="packages", cAlternateFileName="")) returned 0 [0096.060] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.060] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", cAlternateFileName="{33D1F~1")) returned 1 [0096.060] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2=".") returned 1 [0096.060] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="..") returned 1 [0096.060] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="...") returned 1 [0096.060] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="windows") returned -1 [0096.060] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="$RECYCLE.BIN") returned 1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="rsa") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="NTDETECT.COM") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntldr") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="MSDOS.SYS") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="IO.SYS") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="boot.ini") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="AUTOEXEC.BAT") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="ntuser.dat") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="desktop.ini") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="CONFIG.SYS") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="RECYCLER") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="BOOTSECT.BAK") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="bootmgr") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="programdata") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="appdata") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="program files (x86)") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="microsoft") returned -1 [0096.061] lstrcmpiW (lpString1="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpString2="sophos") returned -1 [0096.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e3a0 [0096.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0096.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e480 [0096.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e528 [0096.061] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2388 [0096.062] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.062] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e7475e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf03b3d5, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.062] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.062] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.062] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x354d9570, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.062] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5d0 [0096.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e528 | out: hHeap=0x2680000) returned 1 [0096.062] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.063] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.063] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e688 [0096.063] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.063] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=626) returned 1 [0096.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0096.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.063] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0096.063] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.064] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.064] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.065] GetTickCount () returned 0x1159372 [0096.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.065] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.065] SetLastError (dwErrCode=0x0) [0096.065] WriteFile (in: hFile=0x270, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.067] GetLastError () returned 0x0 [0096.067] GetLastError () returned 0x0 [0096.067] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x372, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.067] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.067] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x472, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.067] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34408c62, dwHighDateTime=0x1d5f971)) [0096.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.067] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.067] GetProcessHeap () returned 0xbc0000 [0096.068] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x272) returned 0xbe3f48 [0096.068] GetSystemDefaultLangID () returned 0xbd0409 [0096.068] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.068] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x272, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x272, lpOverlapped=0x0) returned 1 [0096.068] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.068] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x272, lpOverlapped=0x0) returned 1 [0096.068] GetProcessHeap () returned 0xbc0000 [0096.068] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.068] CloseHandle (hObject=0x270) returned 1 [0096.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0096.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e740 [0096.069] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\state.rsm.nefilim")) returned 1 [0096.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e740 | out: hHeap=0x2680000) returned 1 [0096.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.070] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="microsoft") returned 1 [0096.070] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="sophos") returned 1 [0096.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e688 [0096.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5d0 | out: hHeap=0x2680000) returned 1 [0096.070] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0096.070] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.070] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf03b3d5, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xcf03b3d5, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xcef30371, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f428, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0096.071] FindClose (in: hFindFile=0xbe2388 | out: hFindFile=0xbe2388) returned 1 [0096.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e480 | out: hHeap=0x2680000) returned 1 [0096.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.071] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", cAlternateFileName="{37B8F~1.610")) returned 1 [0096.071] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2=".") returned 1 [0096.071] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="..") returned 1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="...") returned 1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="windows") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="rsa") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntldr") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="IO.SYS") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="boot.ini") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="ntuser.dat") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="desktop.ini") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="RECYCLER") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="bootmgr") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="programdata") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="appdata") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="program files (x86)") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="microsoft") returned -1 [0096.072] lstrcmpiW (lpString1="{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030", lpString2="sophos") returned -1 [0096.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.072] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0096.075] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.075] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2e75aa9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.075] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.075] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.075] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.075] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.076] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.076] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0096.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.077] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.077] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0096.077] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0096.078] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0096.078] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0096.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.078] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0096.078] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.078] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.078] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.078] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.078] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb69f0b00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xb69f0b00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xb69f0b00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x588124, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.078] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.079] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0096.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0096.079] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.079] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.079] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.079] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.079] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.079] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0096.080] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0096.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebd0 [0096.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0096.080] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.080] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.080] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5197e500, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x5197e500, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x5197e500, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.080] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0096.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.080] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebe532, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b33e03, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.080] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0096.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.081] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0b0dbb0, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebdead, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0b0dbb0, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.081] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0096.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.081] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", cAlternateFileName="{3C3AA~1")) returned 1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2=".") returned 1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="..") returned 1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="...") returned 1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="windows") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="$RECYCLE.BIN") returned 1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="rsa") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="NTDETECT.COM") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntldr") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="MSDOS.SYS") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="IO.SYS") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="boot.ini") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="AUTOEXEC.BAT") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="ntuser.dat") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="desktop.ini") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="CONFIG.SYS") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="RECYCLER") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="BOOTSECT.BAK") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="bootmgr") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="programdata") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="appdata") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="program files (x86)") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="microsoft") returned -1 [0096.081] lstrcmpiW (lpString1="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpString2="sophos") returned -1 [0096.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e3a0 [0096.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0096.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e480 [0096.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e528 [0096.082] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0096.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.082] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebeed6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd40b2b5b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.082] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd40b2b5b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd40b2b5b, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3639a1f2, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.082] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5d0 [0096.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e528 | out: hHeap=0x2680000) returned 1 [0096.083] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.083] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.083] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e688 [0096.083] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.126] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=638) returned 1 [0096.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.126] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.126] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0096.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.126] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.127] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.128] GetTickCount () returned 0x11593b1 [0096.128] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.128] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.128] SetLastError (dwErrCode=0x0) [0096.128] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.130] GetLastError () returned 0x0 [0096.130] GetLastError () returned 0x0 [0096.130] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.130] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.130] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.130] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x344a1532, dwHighDateTime=0x1d5f971)) [0096.130] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.130] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.130] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.131] GetProcessHeap () returned 0xbc0000 [0096.131] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x27e) returned 0xbe3f48 [0096.131] GetSystemDefaultLangID () returned 0xbd0409 [0096.131] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.131] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x27e, lpOverlapped=0x0) returned 1 [0096.131] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.131] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x27e, lpOverlapped=0x0) returned 1 [0096.131] GetProcessHeap () returned 0xbc0000 [0096.131] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.131] CloseHandle (hObject=0x270) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.132] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e740 [0096.132] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{3c3aafc8-d898-43ec-998f-965ffdae065a}\\state.rsm.nefilim")) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e740 | out: hHeap=0x2680000) returned 1 [0096.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.132] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="microsoft") returned 1 [0096.133] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="sophos") returned 1 [0096.133] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e688 [0096.133] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5d0 | out: hHeap=0x2680000) returned 1 [0096.133] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0096.133] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.133] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd408c921, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd408c921, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd4040448, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x710a8, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0096.133] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0096.134] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.134] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e480 | out: hHeap=0x2680000) returned 1 [0096.134] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.134] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", cAlternateFileName="{582EA~1.250")) returned 1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2=".") returned 1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="..") returned 1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="...") returned 1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="windows") returned -1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="rsa") returned -1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntldr") returned -1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0096.134] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="IO.SYS") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="boot.ini") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="ntuser.dat") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="desktop.ini") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="RECYCLER") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="bootmgr") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="programdata") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="appdata") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="program files (x86)") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="microsoft") returned -1 [0096.135] lstrcmpiW (lpString1="{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017", lpString2="sophos") returned -1 [0096.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.135] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0096.136] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.136] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebf4ad, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.136] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.136] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.136] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.136] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.137] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e820 [0096.137] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2ac8 [0096.137] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.137] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.137] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.137] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.137] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0096.137] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0096.138] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0096.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8f8 [0096.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9f0 [0096.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268eae8 [0096.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebe0 [0096.138] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{582EA838-9199-3518-A05C-DB09462F68EC}v14.10.25017\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2708 [0096.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.138] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.138] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf81cb00, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xdf81cb00, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xdf81cb00, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x13babb, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.138] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.139] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.139] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0096.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.139] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.139] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.139] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.139] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.139] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.139] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0096.140] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0096.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebe0 [0096.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0096.140] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.140] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.140] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93af200, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x93af200, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x93af200, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.140] FindClose (in: hFindFile=0xbe2708 | out: hFindFile=0xbe2708) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eae8 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9f0 | out: hHeap=0x2680000) returned 1 [0096.141] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec031b, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.141] FindClose (in: hFindFile=0xbe2ac8 | out: hFindFile=0xbe2ac8) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8f8 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.141] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9affe46, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ebfbe2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9affe46, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.141] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.141] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", cAlternateFileName="{68306~1.250")) returned 1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2=".") returned 1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="..") returned 1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="...") returned 1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="windows") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="rsa") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntldr") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="IO.SYS") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="boot.ini") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="ntuser.dat") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="desktop.ini") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="RECYCLER") returned -1 [0096.141] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="bootmgr") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="programdata") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="appdata") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="program files (x86)") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="microsoft") returned -1 [0096.142] lstrcmpiW (lpString1="{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017", lpString2="sophos") returned -1 [0096.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.142] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2a08 [0096.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.143] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec0a31, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.143] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.143] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.143] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e820 [0096.144] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0096.144] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.144] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.144] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.144] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.144] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0096.144] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0096.145] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0096.145] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0096.145] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0096.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8f8 [0096.145] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9f0 [0096.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268eae8 [0096.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0096.145] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{68306422-7C57-373F-8860-D26CE4BA2A15}v14.10.25017\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0096.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.145] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.145] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x4f699e, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.145] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.146] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.146] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0096.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0096.146] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.146] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.146] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.146] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.146] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0096.146] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0096.147] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0096.147] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0096.147] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0096.147] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebe0 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0096.147] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.147] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.147] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcce7900, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xcce7900, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xcce7900, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.147] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eae8 | out: hHeap=0x2680000) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9f0 | out: hHeap=0x2680000) returned 1 [0096.147] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec173c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b4c2ed, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.147] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8f8 | out: hHeap=0x2680000) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.148] FindNextFileW (in: hFindFile=0xbe2a08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9b26095, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2ec10ed, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9b26095, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.148] FindClose (in: hFindFile=0xbe2a08 | out: hFindFile=0xbe2a08) returned 1 [0096.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.148] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", cAlternateFileName="{8D4F7~1.250")) returned 1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2=".") returned 1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="..") returned 1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="...") returned 1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="windows") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="rsa") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntldr") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="IO.SYS") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="boot.ini") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="ntuser.dat") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="desktop.ini") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="RECYCLER") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="bootmgr") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="programdata") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="appdata") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="program files (x86)") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="microsoft") returned -1 [0096.148] lstrcmpiW (lpString1="{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017", lpString2="sophos") returned -1 [0096.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.149] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2ac8 [0096.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.149] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.149] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.149] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.149] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.149] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.149] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.149] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.149] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.150] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e820 [0096.150] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2708 [0096.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.150] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.151] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0096.151] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0096.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8f8 [0096.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9f0 [0096.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268eae8 [0096.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebe0 [0096.151] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{8D4F7A6D-6B81-3DC8-9C21-6008E4866727}v14.10.25017\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0096.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.152] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.152] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1e42500, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe1e42500, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe1e42500, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x165257, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.152] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0096.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.153] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.153] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.153] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.153] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.153] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0096.153] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0096.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebe0 [0096.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0096.153] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0096.153] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.153] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.154] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.154] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb9d4c00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0xb9d4c00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0xb9d4c00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x24000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.154] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eae8 | out: hHeap=0x2680000) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9f0 | out: hHeap=0x2680000) returned 1 [0096.154] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.154] FindClose (in: hFindFile=0xbe2708 | out: hFindFile=0xbe2708) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8f8 | out: hHeap=0x2680000) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.154] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc800531, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc800531, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc800531, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.154] FindClose (in: hFindFile=0xbe2ac8 | out: hFindFile=0xbe2ac8) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.155] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", cAlternateFileName="{929FB~1.210")) returned 1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2=".") returned 1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="..") returned 1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="...") returned 1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="windows") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="rsa") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntldr") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="IO.SYS") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="boot.ini") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="ntuser.dat") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="desktop.ini") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="RECYCLER") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="bootmgr") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="programdata") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="appdata") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="program files (x86)") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="microsoft") returned -1 [0096.155] lstrcmpiW (lpString1="{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005", lpString2="sophos") returned -1 [0096.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.156] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.156] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1d0bc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.156] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.156] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.157] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.157] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.157] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0096.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.157] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.158] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0096.158] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0096.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.158] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{929FBD26-9020-399B-9A7A-751D61F0B942}v12.0.21005\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.159] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.159] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.159] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.159] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8abe5b00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x8abe5b00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x8abe5b00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x554520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.159] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.160] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.160] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.160] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.160] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.160] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0096.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.160] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.160] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.160] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.160] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.160] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0096.160] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0096.160] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebd0 [0096.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0096.161] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.161] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.161] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.161] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.161] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f759d9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd41e3e2d, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.161] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.161] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd417172a, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f1dba9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.161] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0096.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.162] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", cAlternateFileName="{A749D~1.210")) returned 1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2=".") returned 1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="..") returned 1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="...") returned 1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="windows") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="rsa") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntldr") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="IO.SYS") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="boot.ini") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="ntuser.dat") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="desktop.ini") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="RECYCLER") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="bootmgr") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="programdata") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="appdata") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="program files (x86)") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="microsoft") returned -1 [0096.162] lstrcmpiW (lpString1="{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005", lpString2="sophos") returned -1 [0096.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.162] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.277] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.277] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd40fefff, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f768c8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.277] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.277] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.277] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.277] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.277] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.277] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.277] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.278] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.278] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.278] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0096.278] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.278] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.279] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.279] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.279] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0096.279] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0096.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.280] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{A749D8E6-B613-3BE3-8F5F-045C84EBA29B}v12.0.21005\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0096.280] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.280] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.280] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.280] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.280] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x898d2e00, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x898d2e00, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x898d2e00, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0xfc90a, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.280] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.281] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.281] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.281] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.281] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.281] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.281] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0096.281] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0096.282] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0096.282] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0096.282] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0096.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebd0 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.282] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.282] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.282] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x885c0100, ftCreationTime.dwHighDateTime=0x1cf3e15, ftLastAccessTime.dwLowDateTime=0x885c0100, ftLastAccessTime.dwHighDateTime=0x1cf3e15, ftLastWriteTime.dwLowDateTime=0x885c0100, ftLastWriteTime.dwHighDateTime=0x1cf3e15, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.282] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.282] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f7778e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd417172a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.282] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.283] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd414b4b9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2f76e30, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd414b4b9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.283] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.283] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", cAlternateFileName="{B1755~1.610")) returned 1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2=".") returned 1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="..") returned 1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="...") returned 1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="windows") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="rsa") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntldr") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="IO.SYS") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="boot.ini") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="ntuser.dat") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="desktop.ini") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="RECYCLER") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="bootmgr") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="programdata") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="appdata") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="program files (x86)") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="microsoft") returned -1 [0096.283] lstrcmpiW (lpString1="{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030", lpString2="sophos") returned -1 [0096.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.284] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.284] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0096.284] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.284] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe5a20, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.285] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.285] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.285] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0096.286] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.286] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.286] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.286] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.286] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0096.286] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0096.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.287] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0096.287] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.287] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.287] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.287] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.287] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x98d1a600, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x98d1a600, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x98d1a600, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0x4ea418, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.287] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.288] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.288] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.288] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.288] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.288] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.288] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.288] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.288] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.288] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.288] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.288] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0096.288] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0096.288] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebd0 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.289] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.289] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.289] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.289] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.289] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3030713, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf14644f, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.289] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.289] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0f9f9b, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc2fe636a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.289] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0096.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.290] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", cAlternateFileName="{BD95A~1.610")) returned 1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2=".") returned 1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="..") returned 1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="...") returned 1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="windows") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="rsa") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntldr") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="IO.SYS") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="boot.ini") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="ntuser.dat") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="desktop.ini") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="RECYCLER") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="bootmgr") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="programdata") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="appdata") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="program files (x86)") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="microsoft") returned -1 [0096.290] lstrcmpiW (lpString1="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030", lpString2="sophos") returned -1 [0096.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.290] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0096.291] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.291] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf087898, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3032038, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.291] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.291] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.291] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.291] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.292] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.292] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.292] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0096.292] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.292] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.292] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.292] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.292] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2=".") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="..") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="...") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="windows") returned -1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="rsa") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="NTDETECT.COM") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntldr") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="MSDOS.SYS") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="IO.SYS") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="boot.ini") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="ntuser.dat") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="desktop.ini") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="CONFIG.SYS") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="RECYCLER") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="bootmgr") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="programdata") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="appdata") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="program files (x86)") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="microsoft") returned 1 [0096.293] lstrcmpiW (lpString1="vcRuntimeMinimum_x86", lpString2="sophos") returned 1 [0096.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.293] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.293] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\\packages\\vcRuntimeMinimum_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe27c8 [0096.293] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.294] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.294] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.294] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.294] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x966f4c00, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0x966f4c00, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0x966f4c00, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc89b1, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.294] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.294] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0096.294] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.294] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.294] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.294] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.294] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.294] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2=".") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="..") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="...") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="windows") returned -1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="rsa") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntldr") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="IO.SYS") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="boot.ini") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="ntuser.dat") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="desktop.ini") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="RECYCLER") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="bootmgr") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="programdata") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="appdata") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="program files (x86)") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="microsoft") returned 1 [0096.295] lstrcmpiW (lpString1="vc_runtimeMinimum_x86.msi", lpString2="sophos") returned 1 [0096.295] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebd0 [0096.295] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0096.295] PathFindExtensionW (pszPath="vc_runtimeMinimum_x86.msi") returned=".msi" [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.295] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.296] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.296] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x565c9900, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x565c9900, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x565c9900, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.296] FindClose (in: hFindFile=0xbe27c8 | out: hFindFile=0xbe27c8) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.296] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033a9d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0f9f9b, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.296] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.296] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xcf0d3d43, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3033181, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xcf0d3d43, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.296] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.296] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", cAlternateFileName="{CA675~1")) returned 1 [0096.296] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2=".") returned 1 [0096.296] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="..") returned 1 [0096.296] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="...") returned 1 [0096.296] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="windows") returned -1 [0096.296] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="$RECYCLE.BIN") returned 1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="rsa") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="NTDETECT.COM") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntldr") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="MSDOS.SYS") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="IO.SYS") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="boot.ini") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="AUTOEXEC.BAT") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="ntuser.dat") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="desktop.ini") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="CONFIG.SYS") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="RECYCLER") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="BOOTSECT.BAK") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="bootmgr") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="programdata") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="appdata") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="program files (x86)") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="microsoft") returned -1 [0096.297] lstrcmpiW (lpString1="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpString2="sophos") returned -1 [0096.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e3a0 [0096.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0096.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e480 [0096.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e528 [0096.297] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0096.298] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.298] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307e4cc, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0a28d82, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.298] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.298] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.298] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x359ea6b6, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x272, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.298] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.299] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5d0 [0096.299] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e528 | out: hHeap=0x2680000) returned 1 [0096.299] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.299] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.299] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.299] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e688 [0096.300] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.300] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=626) returned 1 [0096.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0096.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.300] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0096.300] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0096.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.300] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.301] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.302] GetTickCount () returned 0x115945d [0096.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.302] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.302] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x272, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.302] SetLastError (dwErrCode=0x0) [0096.302] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.304] GetLastError () returned 0x0 [0096.304] GetLastError () returned 0x0 [0096.304] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x372, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.304] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.304] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x472, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34644f60, dwHighDateTime=0x1d5f971)) [0096.304] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.304] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.304] GetProcessHeap () returned 0xbc0000 [0096.304] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x272) returned 0xbe3f48 [0096.304] GetSystemDefaultLangID () returned 0xbd0409 [0096.304] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.304] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x272, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x272, lpOverlapped=0x0) returned 1 [0096.304] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.304] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x272, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x272, lpOverlapped=0x0) returned 1 [0096.304] GetProcessHeap () returned 0xbc0000 [0096.304] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.304] CloseHandle (hObject=0x270) returned 1 [0096.305] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0096.305] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.305] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0096.305] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.305] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e740 [0096.305] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\state.rsm.nefilim")) returned 1 [0096.306] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e740 | out: hHeap=0x2680000) returned 1 [0096.306] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.306] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2=".") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="..") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="...") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="windows") returned -1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="rsa") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="NTDETECT.COM") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntldr") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="MSDOS.SYS") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="IO.SYS") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="boot.ini") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="ntuser.dat") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="desktop.ini") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="CONFIG.SYS") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="RECYCLER") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.306] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="bootmgr") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="programdata") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="appdata") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="program files (x86)") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="microsoft") returned 1 [0096.307] lstrcmpiW (lpString1="vcredist_x64.exe", lpString2="sophos") returned 1 [0096.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e688 [0096.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5d0 | out: hHeap=0x2680000) returned 1 [0096.307] PathFindExtensionW (pszPath="vcredist_x64.exe") returned=".exe" [0096.307] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.307] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd0a28d82, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd0a28d82, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd0a02b30, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x6f398, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="vcredist_x64.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0096.307] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0096.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0096.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e480 | out: hHeap=0x2680000) returned 1 [0096.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.308] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", cAlternateFileName="{CF2BE~1.610")) returned 1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2=".") returned 1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="..") returned 1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="...") returned 1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="windows") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="$RECYCLE.BIN") returned 1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="rsa") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="NTDETECT.COM") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntldr") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="MSDOS.SYS") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="IO.SYS") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="boot.ini") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="AUTOEXEC.BAT") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="ntuser.dat") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="desktop.ini") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="CONFIG.SYS") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="RECYCLER") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="BOOTSECT.BAK") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="bootmgr") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="programdata") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="appdata") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="program files (x86)") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="microsoft") returned -1 [0096.308] lstrcmpiW (lpString1="{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030", lpString2="sophos") returned -1 [0096.308] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.308] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.309] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.309] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0096.309] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.309] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0a9b495, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc307f5ec, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.309] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.309] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.309] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.309] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.309] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.309] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.309] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.310] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.310] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.310] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.310] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.310] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.310] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.310] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe27c8 [0096.310] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.310] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.311] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.311] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.311] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.311] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2=".") returned 1 [0096.311] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="..") returned 1 [0096.311] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="...") returned 1 [0096.311] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="windows") returned -1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="rsa") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="NTDETECT.COM") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntldr") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="MSDOS.SYS") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="IO.SYS") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="boot.ini") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="ntuser.dat") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="desktop.ini") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="CONFIG.SYS") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="RECYCLER") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="bootmgr") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="programdata") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="appdata") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="program files (x86)") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="microsoft") returned 1 [0096.312] lstrcmpiW (lpString1="vcRuntimeMinimum_amd64", lpString2="sophos") returned 1 [0096.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.312] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\\packages\\vcRuntimeMinimum_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0096.312] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.312] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.313] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.313] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.313] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa4bd6800, ftCreationTime.dwHighDateTime=0x1ced51c, ftLastAccessTime.dwLowDateTime=0xa4bd6800, ftLastAccessTime.dwHighDateTime=0x1ced51c, ftLastWriteTime.dwLowDateTime=0xa4bd6800, ftLastWriteTime.dwHighDateTime=0x1ced51c, nFileSizeHigh=0x0, nFileSizeLow=0xc5b25, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.313] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.313] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0096.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.313] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.313] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.313] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.313] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.314] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2=".") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="..") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="...") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="windows") returned -1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="rsa") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntldr") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="IO.SYS") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="boot.ini") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="ntuser.dat") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="desktop.ini") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="RECYCLER") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="bootmgr") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="programdata") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="appdata") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="program files (x86)") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="microsoft") returned 1 [0096.314] lstrcmpiW (lpString1="vc_runtimeMinimum_x64.msi", lpString2="sophos") returned 1 [0096.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268ebd0 [0096.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0096.314] PathFindExtensionW (pszPath="vc_runtimeMinimum_x64.msi") returned=".msi" [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.314] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.315] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.315] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x683e3c00, ftCreationTime.dwHighDateTime=0x1ced51d, ftLastAccessTime.dwLowDateTime=0x683e3c00, ftLastAccessTime.dwHighDateTime=0x1ced51d, ftLastWriteTime.dwLowDateTime=0x683e3c00, ftLastWriteTime.dwHighDateTime=0x1ced51d, nFileSizeHigh=0x0, nFileSizeLow=0x25000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeMinimum_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.315] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.315] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc3080926, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeMinimum_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.315] FindClose (in: hFindFile=0xbe27c8 | out: hFindFile=0xbe27c8) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.315] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd0ae7939, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc308016e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd0ae7939, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.315] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.315] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", cAlternateFileName="{E5127~1.250")) returned 1 [0096.315] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2=".") returned 1 [0096.315] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="..") returned 1 [0096.315] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="...") returned 1 [0096.315] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="windows") returned -1 [0096.315] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="$RECYCLE.BIN") returned 1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="rsa") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="NTDETECT.COM") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntldr") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="MSDOS.SYS") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="IO.SYS") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="boot.ini") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="AUTOEXEC.BAT") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="ntuser.dat") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="desktop.ini") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="CONFIG.SYS") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="RECYCLER") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="BOOTSECT.BAK") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="bootmgr") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="programdata") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="appdata") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="program files (x86)") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="microsoft") returned -1 [0096.316] lstrcmpiW (lpString1="{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017", lpString2="sophos") returned -1 [0096.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.316] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.316] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe27c8 [0096.316] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.316] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.316] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.316] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.316] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.317] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.317] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e820 [0096.317] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.318] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.318] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.318] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.318] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2=".") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="..") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="...") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="windows") returned -1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="$RECYCLE.BIN") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="rsa") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="NTDETECT.COM") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntldr") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="MSDOS.SYS") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="IO.SYS") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="boot.ini") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="AUTOEXEC.BAT") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="ntuser.dat") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="desktop.ini") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="CONFIG.SYS") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="RECYCLER") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="BOOTSECT.BAK") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="bootmgr") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="programdata") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="appdata") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="program files (x86)") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="microsoft") returned 1 [0096.318] lstrcmpiW (lpString1="vcRuntimeAdditional_amd64", lpString2="sophos") returned 1 [0096.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8f8 [0096.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9f0 [0096.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268eae8 [0096.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0096.319] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{E512788E-C50B-3858-A4B9-73AD5F3F9E93}v14.10.25017\\packages\\vcRuntimeAdditional_amd64\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0096.319] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.319] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.319] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.319] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.319] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe90b3300, ftCreationTime.dwHighDateTime=0x1d28867, ftLastAccessTime.dwLowDateTime=0xe90b3300, ftLastAccessTime.dwHighDateTime=0x1d28867, ftLastWriteTime.dwLowDateTime=0xe90b3300, ftLastWriteTime.dwHighDateTime=0x1d28867, nFileSizeHigh=0x0, nFileSizeLow=0x59bde5, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.319] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.320] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.320] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.320] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.320] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.320] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0096.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0096.320] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.320] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.320] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.320] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.320] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2=".") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="..") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="...") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="windows") returned -1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="rsa") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="NTDETECT.COM") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntldr") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="MSDOS.SYS") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="IO.SYS") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="boot.ini") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="ntuser.dat") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="desktop.ini") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="CONFIG.SYS") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="RECYCLER") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="bootmgr") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="programdata") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="appdata") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="program files (x86)") returned 1 [0096.320] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="microsoft") returned 1 [0096.321] lstrcmpiW (lpString1="vc_runtimeAdditional_x64.msi", lpString2="sophos") returned 1 [0096.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebe0 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0096.321] PathFindExtensionW (pszPath="vc_runtimeAdditional_x64.msi") returned=".msi" [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.321] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.321] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11932d00, ftCreationTime.dwHighDateTime=0x1d28868, ftLastAccessTime.dwLowDateTime=0x11932d00, ftLastAccessTime.dwHighDateTime=0x1d28868, ftLastWriteTime.dwLowDateTime=0x11932d00, ftLastWriteTime.dwHighDateTime=0x1d28868, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x64.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.321] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe0 | out: hHeap=0x2680000) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eae8 | out: hHeap=0x2680000) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9f0 | out: hHeap=0x2680000) returned 1 [0096.321] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc84ca0a, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc84ca0a, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_amd64", cAlternateFileName="VCRUNT~1")) returned 0 [0096.321] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8f8 | out: hHeap=0x2680000) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.321] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.321] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc8267ac, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc8267ac, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc8267ac, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.321] FindClose (in: hFindFile=0xbe27c8 | out: hFindFile=0xbe27c8) returned 1 [0096.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.322] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e52a6842-b0ac-476e-b48f-378a97a67346}", cAlternateFileName="{E52A6~1")) returned 1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2=".") returned 1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="..") returned 1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="...") returned 1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="windows") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="$RECYCLE.BIN") returned 1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="rsa") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="NTDETECT.COM") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntldr") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="MSDOS.SYS") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="IO.SYS") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="boot.ini") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="AUTOEXEC.BAT") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="ntuser.dat") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="desktop.ini") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="CONFIG.SYS") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="RECYCLER") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="BOOTSECT.BAK") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="bootmgr") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="programdata") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="appdata") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="program files (x86)") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="microsoft") returned -1 [0096.322] lstrcmpiW (lpString1="{e52a6842-b0ac-476e-b48f-378a97a67346}", lpString2="sophos") returned -1 [0096.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e458 [0096.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0096.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e390 [0096.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e538 [0096.323] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0096.323] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.323] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc767be9, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.323] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.323] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.323] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x37687158, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.323] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.324] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.324] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5e0 [0096.324] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0096.324] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.324] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.324] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e698 [0096.324] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.390] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=750) returned 1 [0096.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.390] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.390] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.390] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.391] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.393] GetTickCount () returned 0x11594ba [0096.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.393] SetLastError (dwErrCode=0x0) [0096.393] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.395] GetLastError () returned 0x0 [0096.395] GetLastError () returned 0x0 [0096.395] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.395] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.395] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.395] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34729c7e, dwHighDateTime=0x1d5f971)) [0096.395] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.395] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.395] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.395] GetProcessHeap () returned 0xbc0000 [0096.395] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2ee) returned 0xbe3f48 [0096.395] GetSystemDefaultLangID () returned 0xbd0409 [0096.395] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.395] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x2ee, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x2ee, lpOverlapped=0x0) returned 1 [0096.395] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.395] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x2ee, lpOverlapped=0x0) returned 1 [0096.395] GetProcessHeap () returned 0xbc0000 [0096.395] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.395] CloseHandle (hObject=0x270) returned 1 [0096.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.396] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.396] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e750 [0096.396] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{e52a6842-b0ac-476e-b48f-378a97a67346}\\state.rsm.nefilim")) returned 1 [0096.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e750 | out: hHeap=0x2680000) returned 1 [0096.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e698 | out: hHeap=0x2680000) returned 1 [0096.397] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2=".") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="..") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="...") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="windows") returned -1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="rsa") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="NTDETECT.COM") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntldr") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="MSDOS.SYS") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="IO.SYS") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="boot.ini") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.397] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="ntuser.dat") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="desktop.ini") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="CONFIG.SYS") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="RECYCLER") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="bootmgr") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="programdata") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="appdata") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="program files (x86)") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="microsoft") returned 1 [0096.398] lstrcmpiW (lpString1="VC_redist.x64.exe", lpString2="sophos") returned 1 [0096.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e698 [0096.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0096.398] PathFindExtensionW (pszPath="VC_redist.x64.exe") returned=".exe" [0096.398] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.398] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x80, ftCreationTime.dwLowDateTime=0xdc767be9, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xdc767be9, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xdc6f54ba, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee38, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x64.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0096.398] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0096.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e698 | out: hHeap=0x2680000) returned 1 [0096.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e390 | out: hHeap=0x2680000) returned 1 [0096.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.398] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", cAlternateFileName="{E6E75~1")) returned 1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2=".") returned 1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="..") returned 1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="...") returned 1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="windows") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="$RECYCLE.BIN") returned 1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="rsa") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="NTDETECT.COM") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntldr") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="MSDOS.SYS") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="IO.SYS") returned -1 [0096.398] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="boot.ini") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="AUTOEXEC.BAT") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="ntuser.dat") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="desktop.ini") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="CONFIG.SYS") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="RECYCLER") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="BOOTSECT.BAK") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="bootmgr") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="programdata") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="appdata") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="program files (x86)") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="microsoft") returned -1 [0096.399] lstrcmpiW (lpString1="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpString2="sophos") returned -1 [0096.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e2e8 [0096.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e3c8 [0096.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e470 [0096.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e518 [0096.399] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x57000156, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0096.399] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.399] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d43b1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2593ec2, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x57000156, cFileName="..", cAlternateFileName="")) returned 1 [0096.399] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.399] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.399] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x35efb7db, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x27e, dwReserved0=0x0, dwReserved1=0x57000156, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.399] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.400] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5c0 [0096.400] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e518 | out: hHeap=0x2680000) returned 1 [0096.400] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.400] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.401] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.401] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.401] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.401] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.401] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.401] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e678 [0096.401] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.401] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=638) returned 1 [0096.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0096.401] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.402] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0096.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0096.402] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.402] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.403] GetTickCount () returned 0x11594ba [0096.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.403] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.403] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x27e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.403] SetLastError (dwErrCode=0x0) [0096.403] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.405] GetLastError () returned 0x0 [0096.405] GetLastError () returned 0x0 [0096.405] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x37e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.405] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.405] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x47e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.405] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3474fcaa, dwHighDateTime=0x1d5f971)) [0096.405] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.405] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.405] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.405] GetProcessHeap () returned 0xbc0000 [0096.405] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x27e) returned 0xbe3f48 [0096.405] GetSystemDefaultLangID () returned 0xbd0409 [0096.405] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.405] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x27e, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x27e, lpOverlapped=0x0) returned 1 [0096.405] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.405] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x27e, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x27e, lpOverlapped=0x0) returned 1 [0096.406] GetProcessHeap () returned 0xbc0000 [0096.406] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.406] CloseHandle (hObject=0x270) returned 1 [0096.406] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.406] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0096.406] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.406] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0096.406] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e730 [0096.406] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{e6e75766-da0f-4ba2-9788-6ea593ce702d}\\state.rsm.nefilim")) returned 1 [0096.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0096.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e678 | out: hHeap=0x2680000) returned 1 [0096.407] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x57000156, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2=".") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="..") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="...") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="windows") returned -1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="rsa") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="NTDETECT.COM") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntldr") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="MSDOS.SYS") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="IO.SYS") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="boot.ini") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="ntuser.dat") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="desktop.ini") returned 1 [0096.407] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="CONFIG.SYS") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="RECYCLER") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="bootmgr") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="programdata") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="appdata") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="program files (x86)") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="microsoft") returned 1 [0096.408] lstrcmpiW (lpString1="vcredist_x86.exe", lpString2="sophos") returned 1 [0096.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e678 [0096.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c0 | out: hHeap=0x2680000) returned 1 [0096.408] PathFindExtensionW (pszPath="vcredist_x86.exe") returned=".exe" [0096.408] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.408] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2593ec2, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd2593ec2, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd2547a05, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x71080, dwReserved0=0x0, dwReserved1=0x57000156, cFileName="vcredist_x86.exe", cAlternateFileName="VCREDI~1.EXE")) returned 0 [0096.408] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0096.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e678 | out: hHeap=0x2680000) returned 1 [0096.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e470 | out: hHeap=0x2680000) returned 1 [0096.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c8 | out: hHeap=0x2680000) returned 1 [0096.409] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{f325f05b-f963-4640-a43b-c8a494cdda0f}", cAlternateFileName="{F325F~1")) returned 1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2=".") returned 1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="..") returned 1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="...") returned 1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="windows") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="$RECYCLE.BIN") returned 1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="rsa") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="NTDETECT.COM") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntldr") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="MSDOS.SYS") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="IO.SYS") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="boot.ini") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="AUTOEXEC.BAT") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="ntuser.dat") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="desktop.ini") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="CONFIG.SYS") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="RECYCLER") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="BOOTSECT.BAK") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="bootmgr") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="programdata") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="appdata") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="program files (x86)") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="microsoft") returned -1 [0096.409] lstrcmpiW (lpString1="{f325f05b-f963-4640-a43b-c8a494cdda0f}", lpString2="sophos") returned -1 [0096.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be40 [0096.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd6) returned 0x268e3c8 [0096.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0096.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.410] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0096.410] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e4a8 [0096.410] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e550 [0096.410] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.410] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.410] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5598, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9a674c8, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.410] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.410] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.410] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0x3714fdce, ftLastWriteTime.dwHighDateTime=0x1d327be, nFileSizeHigh=0x0, nFileSizeLow=0x2ee, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="state.rsm", cAlternateFileName="")) returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2=".") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="..") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="...") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="windows") returned -1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="$RECYCLE.BIN") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="rsa") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="NTDETECT.COM") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="ntldr") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="MSDOS.SYS") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="IO.SYS") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="boot.ini") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="AUTOEXEC.BAT") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="ntuser.dat") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="desktop.ini") returned 1 [0096.410] lstrcmpiW (lpString1="state.rsm", lpString2="CONFIG.SYS") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="RECYCLER") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="BOOTSECT.BAK") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="bootmgr") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="programdata") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="appdata") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="program files") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="program files (x86)") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="microsoft") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="sophos") returned 1 [0096.411] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e5f8 [0096.411] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e550 | out: hHeap=0x2680000) returned 1 [0096.411] PathFindExtensionW (pszPath="state.rsm") returned=".rsm" [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".exe") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".log") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".cab") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".cmd") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".com") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".cpl") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".ini") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".dll") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".url") returned -1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".ttf") returned -1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".mp3") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".pif") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".mp4") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".NEFILIM") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".msi") returned 1 [0096.411] lstrcmpiW (lpString1=".rsm", lpString2=".lnk") returned 1 [0096.411] lstrcmpiW (lpString1="state.rsm", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.411] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e6b0 [0096.411] CreateFileW (lpFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.412] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=750) returned 1 [0096.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0096.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.412] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0096.412] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0096.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0096.412] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.412] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.412] GetTickCount () returned 0x11594ca [0096.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e390 [0096.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e390 | out: hHeap=0x2680000) returned 1 [0096.413] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.413] SetLastError (dwErrCode=0x0) [0096.413] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.414] GetLastError () returned 0x0 [0096.414] GetLastError () returned 0x0 [0096.414] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.414] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.414] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4ee, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3474fcaa, dwHighDateTime=0x1d5f971)) [0096.414] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.414] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.415] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.415] GetProcessHeap () returned 0xbc0000 [0096.415] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2ee) returned 0xbe3f48 [0096.415] GetSystemDefaultLangID () returned 0xbd0409 [0096.415] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.415] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x2ee, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x2ee, lpOverlapped=0x0) returned 1 [0096.415] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.415] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x2ee, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x2ee, lpOverlapped=0x0) returned 1 [0096.415] GetProcessHeap () returned 0xbc0000 [0096.415] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.415] CloseHandle (hObject=0x270) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e768 [0096.416] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm"), lpNewFileName="C:\\Users\\All Users\\Package Cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.NEFILIM" (normalized: "c:\\users\\all users\\package cache\\{f325f05b-f963-4640-a43b-c8a494cdda0f}\\state.rsm.nefilim")) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0096.416] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6b0 | out: hHeap=0x2680000) returned 1 [0096.416] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 1 [0096.416] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2=".") returned 1 [0096.416] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="..") returned 1 [0096.416] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="...") returned 1 [0096.416] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="windows") returned -1 [0096.416] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="$RECYCLE.BIN") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="rsa") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="NTDETECT.COM") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntldr") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="MSDOS.SYS") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="IO.SYS") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="boot.ini") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="AUTOEXEC.BAT") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="ntuser.dat") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="desktop.ini") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="CONFIG.SYS") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="RECYCLER") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="BOOTSECT.BAK") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="bootmgr") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="programdata") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="appdata") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="program files (x86)") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="microsoft") returned 1 [0096.417] lstrcmpiW (lpString1="VC_redist.x86.exe", lpString2="sophos") returned 1 [0096.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e6b0 [0096.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5f8 | out: hHeap=0x2680000) returned 1 [0096.417] PathFindExtensionW (pszPath="VC_redist.x86.exe") returned=".exe" [0096.417] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0096.417] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd9a674c8, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xd9a674c8, ftLastAccessTime.dwHighDateTime=0x1d327b7, ftLastWriteTime.dwLowDateTime=0xd99f4dad, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0xbee30, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="VC_redist.x86.exe", cAlternateFileName="VC_RED~1.EXE")) returned 0 [0096.417] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6b0 | out: hHeap=0x2680000) returned 1 [0096.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4a8 | out: hHeap=0x2680000) returned 1 [0096.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.417] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 1 [0096.417] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2=".") returned 1 [0096.417] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="..") returned 1 [0096.417] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="...") returned 1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="windows") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="$RECYCLE.BIN") returned 1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="rsa") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="NTDETECT.COM") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntldr") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="MSDOS.SYS") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="IO.SYS") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="boot.ini") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="AUTOEXEC.BAT") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="ntuser.dat") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="desktop.ini") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="CONFIG.SYS") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="RECYCLER") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="BOOTSECT.BAK") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="bootmgr") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="programdata") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="appdata") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="program files (x86)") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="microsoft") returned -1 [0096.418] lstrcmpiW (lpString1="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", lpString2="sophos") returned -1 [0096.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e2e8 [0096.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c8 | out: hHeap=0x2680000) returned 1 [0096.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e3a0 [0096.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e458 [0096.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e510 [0096.418] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.418] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.419] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="..", cAlternateFileName="")) returned 1 [0096.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.419] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2=".") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="..") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="...") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="windows") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="$RECYCLE.BIN") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="rsa") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="NTDETECT.COM") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="ntldr") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="MSDOS.SYS") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="IO.SYS") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="boot.ini") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="AUTOEXEC.BAT") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="ntuser.dat") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="desktop.ini") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="CONFIG.SYS") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="RECYCLER") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="BOOTSECT.BAK") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="bootmgr") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="programdata") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="appdata") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="program files") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="program files (x86)") returned -1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="microsoft") returned 1 [0096.419] lstrcmpiW (lpString1="packages", lpString2="sophos") returned -1 [0096.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e5c8 [0096.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e510 | out: hHeap=0x2680000) returned 1 [0096.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e690 [0096.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e758 [0096.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e820 [0096.419] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2388 [0096.420] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.420] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.420] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.420] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.420] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2=".") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="..") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="...") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="windows") returned -1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="$RECYCLE.BIN") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="rsa") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="NTDETECT.COM") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntldr") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="MSDOS.SYS") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="IO.SYS") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="boot.ini") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="AUTOEXEC.BAT") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="ntuser.dat") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="desktop.ini") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="CONFIG.SYS") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="RECYCLER") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="BOOTSECT.BAK") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="bootmgr") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="programdata") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="appdata") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files") returned 1 [0096.420] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="program files (x86)") returned 1 [0096.421] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="microsoft") returned 1 [0096.421] lstrcmpiW (lpString1="vcRuntimeAdditional_x86", lpString2="sophos") returned 1 [0096.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e8e8 [0096.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e820 | out: hHeap=0x2680000) returned 1 [0096.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268e9e0 [0096.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ead8 [0096.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268ebd0 [0096.421] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Package Cache\\{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005\\packages\\vcRuntimeAdditional_x86\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0096.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.421] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.421] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.422] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.422] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6151ff00, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x6151ff00, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x6151ff00, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x4b4520, dwReserved0=0x0, dwReserved1=0x0, cFileName="cab1.cab", cAlternateFileName="")) returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2=".") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="..") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="...") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="windows") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="$RECYCLE.BIN") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="rsa") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="NTDETECT.COM") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="ntldr") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="MSDOS.SYS") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="IO.SYS") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="boot.ini") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="AUTOEXEC.BAT") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="ntuser.dat") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="desktop.ini") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="CONFIG.SYS") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="RECYCLER") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="BOOTSECT.BAK") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="bootmgr") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="programdata") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="appdata") returned 1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="program files") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="program files (x86)") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="microsoft") returned -1 [0096.422] lstrcmpiW (lpString1="cab1.cab", lpString2="sophos") returned -1 [0096.422] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.422] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.422] PathFindExtensionW (pszPath="cab1.cab") returned=".cab" [0096.422] lstrcmpiW (lpString1=".cab", lpString2=".exe") returned -1 [0096.422] lstrcmpiW (lpString1=".cab", lpString2=".log") returned -1 [0096.422] lstrcmpiW (lpString1=".cab", lpString2=".cab") returned 0 [0096.422] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 1 [0096.422] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2=".") returned 1 [0096.422] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="..") returned 1 [0096.422] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="...") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="windows") returned -1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="$RECYCLE.BIN") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="rsa") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="NTDETECT.COM") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntldr") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="MSDOS.SYS") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="IO.SYS") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="boot.ini") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="AUTOEXEC.BAT") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="ntuser.dat") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="desktop.ini") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="CONFIG.SYS") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="RECYCLER") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="BOOTSECT.BAK") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="bootmgr") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="programdata") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="appdata") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="program files (x86)") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="microsoft") returned 1 [0096.423] lstrcmpiW (lpString1="vc_runtimeAdditional_x86.msi", lpString2="sophos") returned 1 [0096.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x130) returned 0x268ebd0 [0096.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.423] PathFindExtensionW (pszPath="vc_runtimeAdditional_x86.msi") returned=".msi" [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".exe") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".log") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".cab") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".cmd") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".com") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".cpl") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".ini") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".dll") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".url") returned -1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".ttf") returned -1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".mp3") returned 1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".pif") returned -1 [0096.423] lstrcmpiW (lpString1=".msi", lpString2=".mp4") returned 1 [0096.424] lstrcmpiW (lpString1=".msi", lpString2=".NEFILIM") returned -1 [0096.424] lstrcmpiW (lpString1=".msi", lpString2=".msi") returned 0 [0096.424] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5dbe7800, ftCreationTime.dwHighDateTime=0x1cf3e16, ftLastAccessTime.dwLowDateTime=0x5dbe7800, ftLastAccessTime.dwHighDateTime=0x1cf3e16, ftLastWriteTime.dwLowDateTime=0x5dbe7800, ftLastWriteTime.dwHighDateTime=0x1cf3e16, nFileSizeHigh=0x0, nFileSizeLow=0x23000, dwReserved0=0x0, dwReserved1=0x0, cFileName="vc_runtimeAdditional_x86.msi", cAlternateFileName="VC_RUN~1.MSI")) returned 0 [0096.424] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebd0 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ead8 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e0 | out: hHeap=0x2680000) returned 1 [0096.424] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d815c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd26eb3fc, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcRuntimeAdditional_x86", cAlternateFileName="VCRUNT~1")) returned 0 [0096.424] FindClose (in: hFindFile=0xbe2388 | out: hFindFile=0xbe2388) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8e8 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0096.424] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2678ce4, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d6870, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="packages", cAlternateFileName="")) returned 0 [0096.424] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5c8 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0096.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a0 | out: hHeap=0x2680000) returned 1 [0096.424] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd2652a95, ftCreationTime.dwHighDateTime=0x1d327b7, ftLastAccessTime.dwLowDateTime=0xc30d5efa, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd2678ce4, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}v12.0.21005", cAlternateFileName="{F8CFE~1.210")) returned 0 [0096.424] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0096.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde8 | out: hHeap=0x2680000) returned 1 [0096.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.425] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft", cAlternateFileName="REGID1~1.MIC")) returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2=".") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="..") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="...") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="windows") returned -1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="$RECYCLE.BIN") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="rsa") returned -1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="NTDETECT.COM") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="ntldr") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="MSDOS.SYS") returned 1 [0096.425] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="IO.SYS") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="boot.ini") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="AUTOEXEC.BAT") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="ntuser.dat") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="desktop.ini") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="CONFIG.SYS") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="RECYCLER") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="BOOTSECT.BAK") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="bootmgr") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="programdata") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="appdata") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="program files") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="program files (x86)") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="microsoft") returned 1 [0096.426] lstrcmpiW (lpString1="regid.1991-06.com.microsoft", lpString2="sophos") returned -1 [0096.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0096.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0096.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0096.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be60 [0096.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0096.426] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2648 [0096.505] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.505] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x30, ftCreationTime.dwLowDateTime=0x17d079d0, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3122174, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x53fba98c, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.506] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x4af5600b, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x430, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", cAlternateFileName="REGID1~3.SWI")) returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2=".") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="..") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="...") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="windows") returned -1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="rsa") returned -1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="ntldr") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="IO.SYS") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="boot.ini") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="ntuser.dat") returned 1 [0096.506] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="desktop.ini") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="RECYCLER") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="bootmgr") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="programdata") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="appdata") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="program files") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="program files (x86)") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="microsoft") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="sophos") returned -1 [0096.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x110) returned 0x268e2e8 [0096.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.507] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag") returned=".swidtag" [0096.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812e8 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0096.507] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0096.507] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x110) returned 0x268e400 [0096.507] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0096.527] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1072) returned 1 [0096.527] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.527] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.528] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.528] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0096.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.528] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x100) returned 1 [0096.529] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25beab4*=0x100) returned 1 [0096.530] GetTickCount () returned 0x1159547 [0096.530] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.530] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x430, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.530] SetLastError (dwErrCode=0x0) [0096.530] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.657] GetLastError () returned 0x0 [0096.657] GetLastError () returned 0x0 [0096.657] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x530, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.657] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.657] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x630, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.657] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x349b23e9, dwHighDateTime=0x1d5f971)) [0096.657] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.658] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.658] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0096.658] GetProcessHeap () returned 0xbc0000 [0096.658] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x430) returned 0xbe3f48 [0096.658] GetSystemDefaultLangID () returned 0xbd0409 [0096.658] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.658] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x430, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x430, lpOverlapped=0x0) returned 1 [0096.658] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.658] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x430, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x430, lpOverlapped=0x0) returned 1 [0096.658] GetProcessHeap () returned 0xbc0000 [0096.658] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.658] CloseHandle (hObject=0x26c) returned 1 [0096.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0096.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.659] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.660] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268e518 [0096.660] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run extensibility component.swidtag.nefilim")) returned 1 [0096.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e518 | out: hHeap=0x2680000) returned 1 [0096.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e400 | out: hHeap=0x2680000) returned 1 [0096.660] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812e8 | out: hHeap=0x2680000) returned 1 [0096.660] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfbfefc00, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0xda9f4a95, ftLastAccessTime.dwHighDateTime=0x1d327e7, ftLastWriteTime.dwLowDateTime=0xfbfefc00, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", cAlternateFileName="REGID1~2.SWI")) returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2=".") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="..") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="...") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="windows") returned -1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="rsa") returned -1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="ntldr") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="IO.SYS") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="boot.ini") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="ntuser.dat") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="desktop.ini") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="RECYCLER") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="bootmgr") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="programdata") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="appdata") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="program files") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="program files (x86)") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="microsoft") returned 1 [0096.661] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="sophos") returned -1 [0096.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.661] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.661] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag") returned=".swidtag" [0096.661] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812e8 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0096.661] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0096.662] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0096.662] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.662] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.662] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0096.664] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1068) returned 1 [0096.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0096.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.664] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0096.664] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.664] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.664] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0096.665] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25beab4*=0x100) returned 1 [0096.666] GetTickCount () returned 0x11595c4 [0096.666] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.666] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.666] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x42c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.666] SetLastError (dwErrCode=0x0) [0096.666] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.669] GetLastError () returned 0x0 [0096.669] GetLastError () returned 0x0 [0096.669] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.669] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.669] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x62c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.669] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x349b23e9, dwHighDateTime=0x1d5f971)) [0096.669] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.669] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.669] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0096.669] GetProcessHeap () returned 0xbc0000 [0096.669] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x42c) returned 0xbe3f48 [0096.669] GetSystemDefaultLangID () returned 0xbd0409 [0096.669] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.669] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x42c, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x42c, lpOverlapped=0x0) returned 1 [0096.669] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.669] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x42c, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x42c, lpOverlapped=0x0) returned 1 [0096.670] GetProcessHeap () returned 0xbc0000 [0096.670] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.670] CloseHandle (hObject=0x26c) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.671] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x110) returned 0x268e2e8 [0096.671] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run licensing component.swidtag.nefilim")) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.671] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812e8 | out: hHeap=0x2680000) returned 1 [0096.672] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1446700, ftCreationTime.dwHighDateTime=0x1d0d7c7, ftLastAccessTime.dwLowDateTime=0x53fba98c, ftLastAccessTime.dwHighDateTime=0x1d327e9, ftLastWriteTime.dwLowDateTime=0xf1446700, ftLastWriteTime.dwHighDateTime=0x1d0d7c7, nFileSizeHigh=0x0, nFileSizeLow=0x42f, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", cAlternateFileName="REGID1~4.SWI")) returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2=".") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="..") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="...") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="windows") returned -1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="rsa") returned -1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="NTDETECT.COM") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="ntldr") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="MSDOS.SYS") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="IO.SYS") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="boot.ini") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="ntuser.dat") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="desktop.ini") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="CONFIG.SYS") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="RECYCLER") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="bootmgr") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="programdata") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="appdata") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="program files") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="program files (x86)") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="microsoft") returned 1 [0096.672] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="sophos") returned -1 [0096.672] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x110) returned 0x268e2e8 [0096.672] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.672] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag") returned=".swidtag" [0096.672] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812e8 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0096.672] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0096.673] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0096.673] lstrcmpiW (lpString1="regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.673] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x110) returned 0x268e400 [0096.673] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0096.674] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1071) returned 1 [0096.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.674] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.674] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.674] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.674] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25beab8*=0x100) returned 1 [0096.675] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25beab4*=0x100) returned 1 [0096.676] GetTickCount () returned 0x11595d4 [0096.676] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x26804b8 [0096.676] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.676] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x42f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.676] SetLastError (dwErrCode=0x0) [0096.676] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.678] GetLastError () returned 0x0 [0096.678] GetLastError () returned 0x0 [0096.678] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.678] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.678] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x62f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.678] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x349d9069, dwHighDateTime=0x1d5f971)) [0096.678] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.678] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.678] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0096.678] GetProcessHeap () returned 0xbc0000 [0096.678] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x42f) returned 0xbe3f48 [0096.678] GetSystemDefaultLangID () returned 0xbd0409 [0096.678] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.678] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x42f, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x42f, lpOverlapped=0x0) returned 1 [0096.678] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.678] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x42f, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x42f, lpOverlapped=0x0) returned 1 [0096.678] GetProcessHeap () returned 0xbc0000 [0096.678] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.679] CloseHandle (hObject=0x26c) returned 1 [0096.679] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.679] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0096.679] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.679] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x120) returned 0x268e518 [0096.679] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft office 16 click-to-run localization component.swidtag.nefilim")) returned 1 [0096.680] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e518 | out: hHeap=0x2680000) returned 1 [0096.680] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e400 | out: hHeap=0x2680000) returned 1 [0096.680] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812e8 | out: hHeap=0x2680000) returned 1 [0096.680] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2=".") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="..") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="...") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="windows") returned -1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="$RECYCLE.BIN") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="rsa") returned -1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="NTDETECT.COM") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="ntldr") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="MSDOS.SYS") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="IO.SYS") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="boot.ini") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="AUTOEXEC.BAT") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="ntuser.dat") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="desktop.ini") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="CONFIG.SYS") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="RECYCLER") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="BOOTSECT.BAK") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="bootmgr") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="programdata") returned 1 [0096.680] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="appdata") returned 1 [0096.681] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="program files") returned 1 [0096.681] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="program files (x86)") returned 1 [0096.681] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="microsoft") returned 1 [0096.681] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="sophos") returned -1 [0096.681] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x26804b8 [0096.681] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.681] PathFindExtensionW (pszPath="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag") returned=".swidtag" [0096.681] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26812e8 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".exe") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".log") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".cab") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".cmd") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".com") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".cpl") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".ini") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".dll") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".url") returned -1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".ttf") returned -1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".mp3") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".pif") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".mp4") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".NEFILIM") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".msi") returned 1 [0096.681] lstrcmpiW (lpString1=".swidtag", lpString2=".lnk") returned 1 [0096.681] lstrcmpiW (lpString1="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.681] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e2e8 [0096.681] CreateFileW (lpFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0096.681] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=997) returned 1 [0096.681] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0096.682] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.682] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0096.682] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.682] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0096.682] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.682] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x100) returned 1 [0096.682] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25beab4*=0x100) returned 1 [0096.683] GetTickCount () returned 0x11595d4 [0096.683] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3c0 [0096.683] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c0 | out: hHeap=0x2680000) returned 1 [0096.683] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.683] SetLastError (dwErrCode=0x0) [0096.683] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.685] GetLastError () returned 0x0 [0096.685] GetLastError () returned 0x0 [0096.685] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.685] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0096.685] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5e5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.685] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x349d9069, dwHighDateTime=0x1d5f971)) [0096.685] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3c0 [0096.685] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c0 | out: hHeap=0x2680000) returned 1 [0096.685] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0096.685] GetProcessHeap () returned 0xbc0000 [0096.685] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3e5) returned 0xbe3f48 [0096.685] GetSystemDefaultLangID () returned 0xbd0409 [0096.685] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.685] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x3e5, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x3e5, lpOverlapped=0x0) returned 1 [0096.685] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.685] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x3e5, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x3e5, lpOverlapped=0x0) returned 1 [0096.685] GetProcessHeap () returned 0xbc0000 [0096.686] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.686] CloseHandle (hObject=0x26c) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.687] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e3c0 [0096.687] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag"), lpNewFileName="C:\\Users\\All Users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.NEFILIM" (normalized: "c:\\users\\all users\\regid.1991-06.com.microsoft\\regid.1991-06.com.microsoft_windows-10-pro.swidtag.nefilim")) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c0 | out: hHeap=0x2680000) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812e8 | out: hHeap=0x2680000) returned 1 [0096.687] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7be169cf, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x6f2e8f23, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x6f2e8f23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x3e5, dwReserved0=0x0, dwReserved1=0x0, cFileName="regid.1991-06.com.microsoft_Windows-10-Pro.swidtag", cAlternateFileName="REGID1~1.SWI")) returned 0 [0096.687] FindClose (in: hFindFile=0xbe2648 | out: hFindFile=0xbe2648) returned 1 [0096.687] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0096.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0096.688] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SoftwareDistribution", cAlternateFileName="SOFTWA~1")) returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2=".") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="..") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="...") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="windows") returned -1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="$RECYCLE.BIN") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="rsa") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="NTDETECT.COM") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="ntldr") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="MSDOS.SYS") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="IO.SYS") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="boot.ini") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="AUTOEXEC.BAT") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="ntuser.dat") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="desktop.ini") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="CONFIG.SYS") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="RECYCLER") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="BOOTSECT.BAK") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="bootmgr") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="programdata") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="appdata") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="program files") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="program files (x86)") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="microsoft") returned 1 [0096.688] lstrcmpiW (lpString1="SoftwareDistribution", lpString2="sophos") returned -1 [0096.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bdf8 [0096.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x268be50 [0096.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0096.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0096.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0096.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0096.688] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\SoftwareDistribution\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.689] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.689] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0096.689] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.689] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.689] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 0 [0096.689] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0096.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0096.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.689] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0096.689] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0096.690] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0096.690] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0096.690] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0096.690] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0096.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0096.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be50 | out: hHeap=0x2680000) returned 1 [0096.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0096.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680548 [0096.690] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Start Menu\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x20000020, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨ붐ɨ<")) returned 0xffffffff [0096.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0096.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0096.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.690] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x7877b7ce, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x7877b7ce, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x7877b7ce, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0096.690] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0096.691] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0096.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0096.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0096.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0096.691] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\Templates\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x29000029, ftLastAccessTime.dwLowDateTime=0xc31230fe, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x20000020, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺ĊԀɨҸɨ:")) returned 0xffffffff [0096.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0096.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0096.691] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOPrivate", cAlternateFileName="USOPRI~1")) returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2=".") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="..") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="...") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="windows") returned -1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="$RECYCLE.BIN") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="rsa") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="NTDETECT.COM") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="ntldr") returned 1 [0096.691] lstrcmpiW (lpString1="USOPrivate", lpString2="MSDOS.SYS") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="IO.SYS") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="boot.ini") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="AUTOEXEC.BAT") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="ntuser.dat") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="desktop.ini") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="CONFIG.SYS") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="RECYCLER") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="BOOTSECT.BAK") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="bootmgr") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="programdata") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="appdata") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="program files") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="program files (x86)") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="microsoft") returned 1 [0096.692] lstrcmpiW (lpString1="USOPrivate", lpString2="sophos") returned 1 [0096.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0096.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0096.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0096.692] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0096.692] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.692] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1931975, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x1931975, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0096.692] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.692] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.692] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3080a24b, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x3080a24b, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2=".") returned 1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2="..") returned 1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2="...") returned 1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2="windows") returned -1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2="$RECYCLE.BIN") returned 1 [0096.692] lstrcmpiW (lpString1="UpdateStore", lpString2="rsa") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="NTDETECT.COM") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="ntldr") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="MSDOS.SYS") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="IO.SYS") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="boot.ini") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="AUTOEXEC.BAT") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="ntuser.dat") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="desktop.ini") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="CONFIG.SYS") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="RECYCLER") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="BOOTSECT.BAK") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="bootmgr") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="programdata") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="appdata") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="program files") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="program files (x86)") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="microsoft") returned 1 [0096.693] lstrcmpiW (lpString1="UpdateStore", lpString2="sophos") returned 1 [0096.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bde8 [0096.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be50 [0096.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0096.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0096.693] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3080a24b, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x3080a24b, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.693] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.693] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3080a24b, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x3080a24b, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.694] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.694] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.694] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdc9086d4, ftCreationTime.dwHighDateTime=0x1d327b4, ftLastAccessTime.dwLowDateTime=0xdc9086d4, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0xdc9086d4, ftLastWriteTime.dwHighDateTime=0x1d327b4, nFileSizeHigh=0x0, nFileSizeLow=0x1a, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateCspStore.xml", cAlternateFileName="UPDATE~2.XML")) returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2=".") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="..") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="...") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="windows") returned -1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="$RECYCLE.BIN") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="rsa") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="NTDETECT.COM") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="ntldr") returned 1 [0096.694] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="MSDOS.SYS") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="IO.SYS") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="boot.ini") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="AUTOEXEC.BAT") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="ntuser.dat") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="desktop.ini") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="CONFIG.SYS") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="RECYCLER") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="BOOTSECT.BAK") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="bootmgr") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="programdata") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="appdata") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="program files") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="program files (x86)") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="microsoft") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="sophos") returned 1 [0096.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e3b8 [0096.695] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0096.695] PathFindExtensionW (pszPath="UpdateCspStore.xml") returned=".xml" [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0096.695] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0096.695] lstrcmpiW (lpString1="UpdateCspStore.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.696] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e440 [0096.696] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.736] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=26) returned 1 [0096.736] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.736] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.736] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.736] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.736] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0096.736] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0096.736] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.736] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.737] GetTickCount () returned 0x1159612 [0096.737] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268bd90 [0096.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.737] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.737] SetLastError (dwErrCode=0x0) [0096.737] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.738] GetLastError () returned 0x0 [0096.738] GetLastError () returned 0x0 [0096.738] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.738] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.738] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x21a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.738] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34a70f25, dwHighDateTime=0x1d5f971)) [0096.738] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0096.738] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.739] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.739] GetProcessHeap () returned 0xbc0000 [0096.739] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1a) returned 0xbdd1d0 [0096.739] GetSystemDefaultLangID () returned 0xbd0409 [0096.739] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.739] ReadFile (in: hFile=0x270, lpBuffer=0xbdd1d0, nNumberOfBytesToRead=0x1a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbdd1d0*, lpNumberOfBytesRead=0x25be7fc*=0x1a, lpOverlapped=0x0) returned 1 [0096.739] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.739] WriteFile (in: hFile=0x270, lpBuffer=0xbdd1d0*, nNumberOfBytesToWrite=0x1a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbdd1d0*, lpNumberOfBytesWritten=0x25be7f0*=0x1a, lpOverlapped=0x0) returned 1 [0096.739] GetProcessHeap () returned 0xbc0000 [0096.739] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbdd1d0 | out: hHeap=0xbc0000) returned 1 [0096.739] CloseHandle (hObject=0x270) returned 1 [0096.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0096.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0096.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e4c8 [0096.740] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml"), lpNewFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\UpdateCspStore.xml.NEFILIM" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatecspstore.xml.nefilim")) returned 1 [0096.741] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0096.741] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e440 | out: hHeap=0x2680000) returned 1 [0096.741] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x302f926d, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x306b2f38, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x52d, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2=".") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="..") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="...") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="windows") returned -1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="$RECYCLE.BIN") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="rsa") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="NTDETECT.COM") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="ntldr") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="MSDOS.SYS") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="IO.SYS") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="boot.ini") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="AUTOEXEC.BAT") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="ntuser.dat") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="desktop.ini") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="CONFIG.SYS") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="RECYCLER") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="BOOTSECT.BAK") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="bootmgr") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="programdata") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="appdata") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="program files") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="program files (x86)") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="microsoft") returned 1 [0096.741] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="sophos") returned 1 [0096.741] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e440 [0096.742] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0096.742] PathFindExtensionW (pszPath="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml") returned=".xml" [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0096.742] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0096.742] lstrcmpiW (lpString1="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268e350 [0096.742] CreateFileW (lpFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.742] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=1325) returned 1 [0096.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0096.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.742] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0096.742] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.742] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0096.743] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.744] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.745] GetTickCount () returned 0x1159612 [0096.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268bd90 [0096.745] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.745] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x52d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.745] SetLastError (dwErrCode=0x0) [0096.745] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.746] GetLastError () returned 0x0 [0096.746] GetLastError () returned 0x0 [0096.746] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x62d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.746] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x72d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.746] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34a70f25, dwHighDateTime=0x1d5f971)) [0096.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0096.746] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.746] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.746] GetProcessHeap () returned 0xbc0000 [0096.746] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x52d) returned 0xbe3f48 [0096.746] GetSystemDefaultLangID () returned 0xbd0409 [0096.746] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.746] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x52d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0x52d, lpOverlapped=0x0) returned 1 [0096.746] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.746] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x52d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0x52d, lpOverlapped=0x0) returned 1 [0096.746] GetProcessHeap () returned 0xbc0000 [0096.746] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0096.746] CloseHandle (hObject=0x270) returned 1 [0096.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0096.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0096.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.747] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e508 [0096.747] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml"), lpNewFileName="C:\\Users\\All Users\\USOPrivate\\UpdateStore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.NEFILIM" (normalized: "c:\\users\\all users\\usoprivate\\updatestore\\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml.nefilim")) returned 1 [0096.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0096.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0096.748] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1957bdd, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x302f926d, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x306b2f38, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x52d, dwReserved0=0x0, dwReserved1=0x0, cFileName="updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml", cAlternateFileName="UPDATE~1.XML")) returned 0 [0096.748] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0096.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e440 | out: hHeap=0x2680000) returned 1 [0096.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be50 | out: hHeap=0x2680000) returned 1 [0096.748] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1931975, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x3080a24b, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x3080a24b, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="UpdateStore", cAlternateFileName="UPDATE~1")) returned 0 [0096.748] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0096.752] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde8 | out: hHeap=0x2680000) returned 1 [0096.752] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0096.752] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0096.752] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="USOShared", cAlternateFileName="USOSHA~1")) returned 1 [0096.752] lstrcmpiW (lpString1="USOShared", lpString2=".") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="..") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="...") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="windows") returned -1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="$RECYCLE.BIN") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="rsa") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="NTDETECT.COM") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="ntldr") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="MSDOS.SYS") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="IO.SYS") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="boot.ini") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="AUTOEXEC.BAT") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="ntuser.dat") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="desktop.ini") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="CONFIG.SYS") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="RECYCLER") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="BOOTSECT.BAK") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="bootmgr") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="programdata") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="appdata") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="program files") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="program files (x86)") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="microsoft") returned 1 [0096.753] lstrcmpiW (lpString1="USOShared", lpString2="sophos") returned 1 [0096.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0096.753] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0096.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680500 [0096.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680548 [0096.753] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0096.753] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0096.754] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.754] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa4ade3, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0xa4ade3, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0096.754] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.754] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.754] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x21006ce2, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x21006ce2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Logs", cAlternateFileName="")) returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2=".") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="..") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="...") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="windows") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="$RECYCLE.BIN") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="rsa") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="NTDETECT.COM") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="ntldr") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="MSDOS.SYS") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="IO.SYS") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="boot.ini") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="AUTOEXEC.BAT") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="ntuser.dat") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="desktop.ini") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="CONFIG.SYS") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="RECYCLER") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="BOOTSECT.BAK") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="bootmgr") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="programdata") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="appdata") returned 1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="program files") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="program files (x86)") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="microsoft") returned -1 [0096.754] lstrcmpiW (lpString1="Logs", lpString2="sophos") returned -1 [0096.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bde8 [0096.754] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0096.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0096.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be40 [0096.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0096.754] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x21006ce2, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x21006ce2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0096.755] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0096.755] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x21006ce2, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x21006ce2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0096.756] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0096.756] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0096.756] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x58d51fd9, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x597705f5, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUx.001.etl", cAlternateFileName="NOBE5B~1.ETL")) returned 1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2=".") returned 1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="..") returned 1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="...") returned 1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="windows") returned -1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="rsa") returned -1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="NTDETECT.COM") returned -1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="ntldr") returned -1 [0096.756] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="MSDOS.SYS") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="IO.SYS") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="boot.ini") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="ntuser.dat") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="desktop.ini") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="CONFIG.SYS") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="RECYCLER") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="bootmgr") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="programdata") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="appdata") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="program files") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="program files (x86)") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="microsoft") returned 1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="sophos") returned -1 [0096.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e340 [0096.757] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.757] PathFindExtensionW (pszPath="NotificationUx.001.etl") returned=".etl" [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.757] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.757] lstrcmpiW (lpString1="NotificationUx.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e3c8 [0096.757] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.758] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.758] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.758] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0096.758] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.758] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0096.758] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0096.758] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.758] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.760] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.761] GetTickCount () returned 0x1159622 [0096.761] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.761] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.761] SetLastError (dwErrCode=0x0) [0096.761] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.762] GetLastError () returned 0x0 [0096.762] GetLastError () returned 0x0 [0096.762] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.762] WriteFile (in: hFile=0x270, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.762] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.762] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34a9714a, dwHighDateTime=0x1d5f971)) [0096.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0096.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.762] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.762] GetProcessHeap () returned 0xbc0000 [0096.762] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.762] GetSystemDefaultLangID () returned 0xbd0409 [0096.762] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.762] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.764] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.764] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.764] GetProcessHeap () returned 0xbc0000 [0096.764] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.764] CloseHandle (hObject=0x270) returned 1 [0096.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0096.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0096.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e450 [0096.765] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.001.etl.nefilim")) returned 1 [0096.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e450 | out: hHeap=0x2680000) returned 1 [0096.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c8 | out: hHeap=0x2680000) returned 1 [0096.769] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7cf76e0, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7cf76e0, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x852e502, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUx.002.etl", cAlternateFileName="NOTIFI~2.ETL")) returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2=".") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="..") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="...") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="windows") returned -1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="rsa") returned -1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="NTDETECT.COM") returned -1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="ntldr") returned -1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="MSDOS.SYS") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="IO.SYS") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="boot.ini") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.769] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="ntuser.dat") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="desktop.ini") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="CONFIG.SYS") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="RECYCLER") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="bootmgr") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="programdata") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="appdata") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="program files") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="program files (x86)") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="microsoft") returned 1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="sophos") returned -1 [0096.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e3c8 [0096.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0096.770] PathFindExtensionW (pszPath="NotificationUx.002.etl") returned=".etl" [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.770] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.770] lstrcmpiW (lpString1="NotificationUx.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.770] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.771] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.771] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.771] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.771] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.772] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.773] GetTickCount () returned 0x1159631 [0096.773] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.773] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.773] SetLastError (dwErrCode=0x0) [0096.773] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.774] GetLastError () returned 0x0 [0096.774] GetLastError () returned 0x0 [0096.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.774] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.774] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34abd2fd, dwHighDateTime=0x1d5f971)) [0096.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e370 [0096.774] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.774] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.774] GetProcessHeap () returned 0xbc0000 [0096.774] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.775] GetSystemDefaultLangID () returned 0xbd0409 [0096.775] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.775] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.831] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.831] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.831] GetProcessHeap () returned 0xbc0000 [0096.831] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.831] CloseHandle (hObject=0x270) returned 1 [0096.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0096.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0096.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.832] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e450 [0096.832] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUx.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationux.002.etl.nefilim")) returned 1 [0096.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e450 | out: hHeap=0x2680000) returned 1 [0096.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.833] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2d822f20, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x2efd472c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.001.etl", cAlternateFileName="NO604C~1.ETL")) returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2=".") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="..") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="...") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="windows") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="rsa") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="NTDETECT.COM") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="ntldr") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="MSDOS.SYS") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="IO.SYS") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="boot.ini") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="ntuser.dat") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="desktop.ini") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="CONFIG.SYS") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="RECYCLER") returned -1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.833] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="bootmgr") returned 1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="programdata") returned -1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="appdata") returned 1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="program files") returned -1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="program files (x86)") returned -1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="microsoft") returned 1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="sophos") returned -1 [0096.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3c8 | out: hHeap=0x2680000) returned 1 [0096.834] PathFindExtensionW (pszPath="NotificationUxBroker.001.etl") returned=".etl" [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.834] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.834] lstrcmpiW (lpString1="NotificationUxBroker.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.834] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.837] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.838] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.838] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.838] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.839] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.840] GetTickCount () returned 0x1159670 [0096.840] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.840] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.840] SetLastError (dwErrCode=0x0) [0096.840] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.841] GetLastError () returned 0x0 [0096.841] GetLastError () returned 0x0 [0096.841] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.841] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.841] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.841] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34b55f36, dwHighDateTime=0x1d5f971)) [0096.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.841] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.842] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.842] GetProcessHeap () returned 0xbc0000 [0096.842] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.842] GetSystemDefaultLangID () returned 0xbd0409 [0096.842] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.842] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.843] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.843] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.843] GetProcessHeap () returned 0xbc0000 [0096.843] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.843] CloseHandle (hObject=0x270) returned 1 [0096.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.845] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.001.etl.nefilim")) returned 1 [0096.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.845] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfe554d51, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0xfe782447, ftLastWriteTime.dwHighDateTime=0x1d3375a, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.002.etl", cAlternateFileName="NO8BA4~1.ETL")) returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2=".") returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="..") returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="...") returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="windows") returned -1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="rsa") returned -1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="NTDETECT.COM") returned -1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="ntldr") returned -1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="MSDOS.SYS") returned 1 [0096.845] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="IO.SYS") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="boot.ini") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="ntuser.dat") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="desktop.ini") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="CONFIG.SYS") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="RECYCLER") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="bootmgr") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="programdata") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="appdata") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="program files") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="program files (x86)") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="microsoft") returned 1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="sophos") returned -1 [0096.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.846] PathFindExtensionW (pszPath="NotificationUxBroker.002.etl") returned=".etl" [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.846] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.846] lstrcmpiW (lpString1="NotificationUxBroker.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.847] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.848] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0096.848] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.848] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0096.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.848] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0096.848] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.849] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.849] GetTickCount () returned 0x1159680 [0096.849] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.849] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.849] SetLastError (dwErrCode=0x0) [0096.849] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.850] GetLastError () returned 0x0 [0096.850] GetLastError () returned 0x0 [0096.850] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.850] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.850] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.850] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34b7bfdd, dwHighDateTime=0x1d5f971)) [0096.850] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.850] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.850] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.850] GetProcessHeap () returned 0xbc0000 [0096.850] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.850] GetSystemDefaultLangID () returned 0xbd0409 [0096.850] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.850] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.851] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.851] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.852] GetProcessHeap () returned 0xbc0000 [0096.852] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.852] CloseHandle (hObject=0x270) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0096.853] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.853] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.002.etl.nefilim")) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.853] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xfdf01be1, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfdfc06a7, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.003.etl", cAlternateFileName="NO3670~1.ETL")) returned 1 [0096.853] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2=".") returned 1 [0096.853] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="..") returned 1 [0096.853] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="...") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="windows") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="rsa") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="NTDETECT.COM") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="ntldr") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="MSDOS.SYS") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="IO.SYS") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="boot.ini") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="ntuser.dat") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="desktop.ini") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="CONFIG.SYS") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="RECYCLER") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="bootmgr") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="programdata") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="appdata") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="program files") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="program files (x86)") returned -1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="microsoft") returned 1 [0096.854] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="sophos") returned -1 [0096.854] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.854] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.854] PathFindExtensionW (pszPath="NotificationUxBroker.003.etl") returned=".etl" [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.854] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.855] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.855] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.855] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.855] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.855] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.855] lstrcmpiW (lpString1="NotificationUxBroker.003.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.855] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.855] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.855] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.855] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0096.855] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.855] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.856] GetTickCount () returned 0x1159680 [0096.856] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.856] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.857] SetLastError (dwErrCode=0x0) [0096.857] WriteFile (in: hFile=0x270, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.857] GetLastError () returned 0x0 [0096.857] GetLastError () returned 0x0 [0096.857] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.858] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.858] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.858] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34ba228e, dwHighDateTime=0x1d5f971)) [0096.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.859] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.859] GetProcessHeap () returned 0xbc0000 [0096.859] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.859] GetSystemDefaultLangID () returned 0xbd0409 [0096.859] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.859] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.884] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.884] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.884] GetProcessHeap () returned 0xbc0000 [0096.885] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.885] CloseHandle (hObject=0x270) returned 1 [0096.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0096.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.886] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.003.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.003.etl.nefilim")) returned 1 [0096.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.886] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x588b3c6a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x59ae67c8, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.004.etl", cAlternateFileName="NO2FB3~1.ETL")) returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2=".") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="..") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="...") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="windows") returned -1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="rsa") returned -1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="NTDETECT.COM") returned -1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="ntldr") returned -1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="MSDOS.SYS") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="IO.SYS") returned 1 [0096.886] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="boot.ini") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="ntuser.dat") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="desktop.ini") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="CONFIG.SYS") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="RECYCLER") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="bootmgr") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="programdata") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="appdata") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="program files") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="program files (x86)") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="microsoft") returned 1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="sophos") returned -1 [0096.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.887] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.887] PathFindExtensionW (pszPath="NotificationUxBroker.004.etl") returned=".etl" [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.887] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.887] lstrcmpiW (lpString1="NotificationUxBroker.004.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.887] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.888] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.888] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.888] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.888] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0096.888] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.889] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.890] GetTickCount () returned 0x11596ae [0096.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.890] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.890] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.890] SetLastError (dwErrCode=0x0) [0096.890] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.891] GetLastError () returned 0x0 [0096.891] GetLastError () returned 0x0 [0096.891] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.891] WriteFile (in: hFile=0x270, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.892] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.892] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34bee6c2, dwHighDateTime=0x1d5f971)) [0096.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.892] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.892] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.892] GetProcessHeap () returned 0xbc0000 [0096.892] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.892] GetSystemDefaultLangID () returned 0xbd0409 [0096.892] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.892] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.959] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.959] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.959] GetProcessHeap () returned 0xbc0000 [0096.959] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.959] CloseHandle (hObject=0x270) returned 1 [0096.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0096.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.961] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.004.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.004.etl.nefilim")) returned 1 [0096.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.961] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xb4b94410, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0xb50917ed, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.005.etl", cAlternateFileName="NO74F7~1.ETL")) returned 1 [0096.961] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2=".") returned 1 [0096.961] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="..") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="...") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="windows") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="rsa") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="NTDETECT.COM") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="ntldr") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="MSDOS.SYS") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="IO.SYS") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="boot.ini") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="ntuser.dat") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="desktop.ini") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="CONFIG.SYS") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="RECYCLER") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="bootmgr") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="programdata") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="appdata") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="program files") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="program files (x86)") returned -1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="microsoft") returned 1 [0096.962] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="sophos") returned -1 [0096.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.962] PathFindExtensionW (pszPath="NotificationUxBroker.005.etl") returned=".etl" [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.962] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.963] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.963] lstrcmpiW (lpString1="NotificationUxBroker.005.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.963] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.963] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.967] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0096.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.967] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0096.967] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0096.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0096.967] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.967] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.968] GetTickCount () returned 0x11596fd [0096.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.968] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.968] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.968] SetLastError (dwErrCode=0x0) [0096.968] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.969] GetLastError () returned 0x0 [0096.969] GetLastError () returned 0x0 [0096.969] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.969] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.969] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.969] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34cad3c6, dwHighDateTime=0x1d5f971)) [0096.969] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.969] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.969] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.969] GetProcessHeap () returned 0xbc0000 [0096.969] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.969] GetSystemDefaultLangID () returned 0xbd0409 [0096.969] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.969] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.971] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.971] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.971] GetProcessHeap () returned 0xbc0000 [0096.971] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.971] CloseHandle (hObject=0x270) returned 1 [0096.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0096.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0096.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0096.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.972] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.972] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.005.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.005.etl.nefilim")) returned 1 [0096.973] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.973] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.973] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x86d6bb14, ftLastAccessTime.dwHighDateTime=0x1d336d7, ftLastWriteTime.dwLowDateTime=0x8728eea2, ftLastWriteTime.dwHighDateTime=0x1d336d7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.006.etl", cAlternateFileName="NOC92C~1.ETL")) returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2=".") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="..") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="...") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="windows") returned -1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="rsa") returned -1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="NTDETECT.COM") returned -1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="ntldr") returned -1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="MSDOS.SYS") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="IO.SYS") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="boot.ini") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.973] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="ntuser.dat") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="desktop.ini") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="CONFIG.SYS") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="RECYCLER") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="bootmgr") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="programdata") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="appdata") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="program files") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="program files (x86)") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="microsoft") returned 1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="sophos") returned -1 [0096.974] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.974] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.974] PathFindExtensionW (pszPath="NotificationUxBroker.006.etl") returned=".etl" [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.974] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.974] lstrcmpiW (lpString1="NotificationUxBroker.006.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.974] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.974] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.975] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0096.975] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.975] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0096.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0096.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0096.975] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.975] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.976] GetTickCount () returned 0x11596fd [0096.976] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.976] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.976] SetLastError (dwErrCode=0x0) [0096.976] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.977] GetLastError () returned 0x0 [0096.977] GetLastError () returned 0x0 [0096.977] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.977] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.978] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.978] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34cad3c6, dwHighDateTime=0x1d5f971)) [0096.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.978] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.978] GetProcessHeap () returned 0xbc0000 [0096.978] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.979] GetSystemDefaultLangID () returned 0xbd0409 [0096.979] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.979] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0096.980] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.980] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0096.980] GetProcessHeap () returned 0xbc0000 [0096.980] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0096.980] CloseHandle (hObject=0x270) returned 1 [0096.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0096.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0096.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0096.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0096.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0096.985] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.006.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.006.etl.nefilim")) returned 1 [0096.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0096.986] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe7f77c60, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xebc8ba4e, ftLastWriteTime.dwHighDateTime=0x1d336d6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.007.etl", cAlternateFileName="NOAEB3~1.ETL")) returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2=".") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="..") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="...") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="windows") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="$RECYCLE.BIN") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="rsa") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="NTDETECT.COM") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="ntldr") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="MSDOS.SYS") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="IO.SYS") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="boot.ini") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="AUTOEXEC.BAT") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="ntuser.dat") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="desktop.ini") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="CONFIG.SYS") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="RECYCLER") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="BOOTSECT.BAK") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="bootmgr") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="programdata") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="appdata") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="program files") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="program files (x86)") returned -1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="microsoft") returned 1 [0096.986] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="sophos") returned -1 [0096.986] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0096.987] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0096.987] PathFindExtensionW (pszPath="NotificationUxBroker.007.etl") returned=".etl" [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0096.987] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0096.987] lstrcmpiW (lpString1="NotificationUxBroker.007.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0096.987] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0096.987] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0096.988] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0096.988] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0096.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0096.989] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0096.989] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0096.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0096.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0096.989] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0096.990] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x100) returned 1 [0096.991] GetTickCount () returned 0x115970c [0096.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0096.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0096.991] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.991] SetLastError (dwErrCode=0x0) [0096.991] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.992] GetLastError () returned 0x0 [0096.992] GetLastError () returned 0x0 [0096.992] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.992] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0096.992] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.992] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34cd86ed, dwHighDateTime=0x1d5f971)) [0096.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0096.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0096.992] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0096.992] GetProcessHeap () returned 0xbc0000 [0096.992] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0096.992] GetSystemDefaultLangID () returned 0xbd0409 [0096.993] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0096.993] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.058] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.058] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.058] GetProcessHeap () returned 0xbc0000 [0097.058] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.058] CloseHandle (hObject=0x270) returned 1 [0097.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0097.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0097.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0097.059] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.007.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.007.etl.nefilim")) returned 1 [0097.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0097.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.060] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xe1017621, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0xe10d621a, ftLastWriteTime.dwHighDateTime=0x1d327e8, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.008.etl", cAlternateFileName="NO6494~1.ETL")) returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2=".") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="..") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="...") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="windows") returned -1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="rsa") returned -1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="NTDETECT.COM") returned -1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="ntldr") returned -1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="MSDOS.SYS") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="IO.SYS") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="boot.ini") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.060] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="ntuser.dat") returned -1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="desktop.ini") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="CONFIG.SYS") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="RECYCLER") returned -1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="bootmgr") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="programdata") returned -1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="appdata") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="program files") returned -1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="program files (x86)") returned -1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="microsoft") returned 1 [0097.061] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="sophos") returned -1 [0097.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.062] PathFindExtensionW (pszPath="NotificationUxBroker.008.etl") returned=".etl" [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.062] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.062] lstrcmpiW (lpString1="NotificationUxBroker.008.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.062] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.062] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.063] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.063] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0097.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0097.063] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.063] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.063] GetTickCount () returned 0x115975a [0097.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0097.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0097.063] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.063] SetLastError (dwErrCode=0x0) [0097.063] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.064] GetLastError () returned 0x0 [0097.065] GetLastError () returned 0x0 [0097.065] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.065] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.065] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.065] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34d923a1, dwHighDateTime=0x1d5f971)) [0097.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0097.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0097.065] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.065] GetProcessHeap () returned 0xbc0000 [0097.065] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.065] GetSystemDefaultLangID () returned 0xbd0409 [0097.065] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.065] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.066] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.066] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.066] GetProcessHeap () returned 0xbc0000 [0097.066] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.066] CloseHandle (hObject=0x270) returned 1 [0097.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0097.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0097.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0097.067] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.008.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.008.etl.nefilim")) returned 1 [0097.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0097.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.068] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x2fb7ebe4, ftLastAccessTime.dwHighDateTime=0x1d327d1, ftLastWriteTime.dwLowDateTime=0x2fc89ca0, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.009.etl", cAlternateFileName="NO492C~1.ETL")) returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2=".") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="..") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="...") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="windows") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="rsa") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="NTDETECT.COM") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="ntldr") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="MSDOS.SYS") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="IO.SYS") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="boot.ini") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="ntuser.dat") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="desktop.ini") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="CONFIG.SYS") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="RECYCLER") returned -1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="bootmgr") returned 1 [0097.068] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="programdata") returned -1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="appdata") returned 1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="program files") returned -1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="program files (x86)") returned -1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="microsoft") returned 1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="sophos") returned -1 [0097.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.069] PathFindExtensionW (pszPath="NotificationUxBroker.009.etl") returned=".etl" [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.069] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.069] lstrcmpiW (lpString1="NotificationUxBroker.009.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.069] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.070] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.070] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.070] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0097.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0097.070] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.070] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.071] GetTickCount () returned 0x115975a [0097.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268be98 [0097.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be98 | out: hHeap=0x2680000) returned 1 [0097.071] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.071] SetLastError (dwErrCode=0x0) [0097.071] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.072] GetLastError () returned 0x0 [0097.072] GetLastError () returned 0x0 [0097.072] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.072] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.072] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.072] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34d923a1, dwHighDateTime=0x1d5f971)) [0097.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3f8 [0097.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0097.072] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.072] GetProcessHeap () returned 0xbc0000 [0097.073] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.073] GetSystemDefaultLangID () returned 0xbd0409 [0097.073] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.073] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.075] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.075] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.075] GetProcessHeap () returned 0xbc0000 [0097.075] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.075] CloseHandle (hObject=0x270) returned 1 [0097.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0097.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0097.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e3f8 [0097.082] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.009.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.009.etl.nefilim")) returned 1 [0097.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f8 | out: hHeap=0x2680000) returned 1 [0097.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.082] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xd855139b, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xd87b395e, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.010.etl", cAlternateFileName="NO0EF1~1.ETL")) returned 1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2=".") returned 1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="..") returned 1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="...") returned 1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="windows") returned -1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="rsa") returned -1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="NTDETECT.COM") returned -1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="ntldr") returned -1 [0097.082] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="MSDOS.SYS") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="IO.SYS") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="boot.ini") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="ntuser.dat") returned -1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="desktop.ini") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="CONFIG.SYS") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="RECYCLER") returned -1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="bootmgr") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="programdata") returned -1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="appdata") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="program files") returned -1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="program files (x86)") returned -1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="microsoft") returned 1 [0097.083] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="sophos") returned -1 [0097.083] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.083] PathFindExtensionW (pszPath="NotificationUxBroker.010.etl") returned=".etl" [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.083] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.084] lstrcmpiW (lpString1="NotificationUxBroker.010.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.084] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.084] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0097.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.084] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0097.084] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0097.084] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.085] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.086] GetTickCount () returned 0x115976a [0097.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0097.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0097.087] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.087] SetLastError (dwErrCode=0x0) [0097.087] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.088] GetLastError () returned 0x0 [0097.088] GetLastError () returned 0x0 [0097.088] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.088] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.088] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.088] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34dc4332, dwHighDateTime=0x1d5f971)) [0097.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.088] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.088] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.088] GetProcessHeap () returned 0xbc0000 [0097.088] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.088] GetSystemDefaultLangID () returned 0xbd0409 [0097.088] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.088] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.089] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.089] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.090] GetProcessHeap () returned 0xbc0000 [0097.090] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.090] CloseHandle (hObject=0x270) returned 1 [0097.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0097.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0097.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.140] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.010.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.010.etl.nefilim")) returned 1 [0097.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.141] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x1ff683d6, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x20000d39, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.011.etl", cAlternateFileName="NOC3D2~1.ETL")) returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2=".") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="..") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="...") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="windows") returned -1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="rsa") returned -1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="NTDETECT.COM") returned -1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="ntldr") returned -1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="MSDOS.SYS") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="IO.SYS") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="boot.ini") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.141] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="ntuser.dat") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="desktop.ini") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="CONFIG.SYS") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="RECYCLER") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="bootmgr") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="programdata") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="appdata") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="program files") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="program files (x86)") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="microsoft") returned 1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="sophos") returned -1 [0097.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.142] PathFindExtensionW (pszPath="NotificationUxBroker.011.etl") returned=".etl" [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.142] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.142] lstrcmpiW (lpString1="NotificationUxBroker.011.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.142] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.143] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.143] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.143] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0097.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.144] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.144] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.144] GetTickCount () returned 0x11597a8 [0097.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e500 [0097.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e500 | out: hHeap=0x2680000) returned 1 [0097.144] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.144] SetLastError (dwErrCode=0x0) [0097.144] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.145] GetLastError () returned 0x0 [0097.145] GetLastError () returned 0x0 [0097.145] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.145] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.145] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.145] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34e50ce5, dwHighDateTime=0x1d5f971)) [0097.145] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.145] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.145] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.146] GetProcessHeap () returned 0xbc0000 [0097.146] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.146] GetSystemDefaultLangID () returned 0xbd0409 [0097.146] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.146] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.147] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.147] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.147] GetProcessHeap () returned 0xbc0000 [0097.147] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.147] CloseHandle (hObject=0x270) returned 1 [0097.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0097.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.148] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.011.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.011.etl.nefilim")) returned 1 [0097.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.149] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x46e2de3d, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x46eecb64, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.012.etl", cAlternateFileName="NOA86A~1.ETL")) returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2=".") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="..") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="...") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="windows") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="rsa") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="NTDETECT.COM") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="ntldr") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="MSDOS.SYS") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="IO.SYS") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="boot.ini") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="ntuser.dat") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="desktop.ini") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="CONFIG.SYS") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="RECYCLER") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="bootmgr") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="programdata") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="appdata") returned 1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="program files") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="program files (x86)") returned -1 [0097.149] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="microsoft") returned 1 [0097.150] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="sophos") returned -1 [0097.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.150] PathFindExtensionW (pszPath="NotificationUxBroker.012.etl") returned=".etl" [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.150] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.150] lstrcmpiW (lpString1="NotificationUxBroker.012.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.150] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.151] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.151] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.151] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0097.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0097.151] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.151] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.152] GetTickCount () returned 0x11597a8 [0097.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0097.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0097.153] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.153] SetLastError (dwErrCode=0x0) [0097.153] WriteFile (in: hFile=0x270, lpBuffer=0x29d1300*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1300*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.154] GetLastError () returned 0x0 [0097.154] GetLastError () returned 0x0 [0097.154] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.154] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.154] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.154] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34e50ce5, dwHighDateTime=0x1d5f971)) [0097.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.154] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.154] GetProcessHeap () returned 0xbc0000 [0097.154] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.155] GetSystemDefaultLangID () returned 0xbd0409 [0097.155] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.155] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.156] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.156] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.156] GetProcessHeap () returned 0xbc0000 [0097.156] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.156] CloseHandle (hObject=0x270) returned 1 [0097.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1300 | out: hHeap=0x2680000) returned 1 [0097.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0097.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.162] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.012.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.012.etl.nefilim")) returned 1 [0097.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.163] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x235d058f, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x23917bad, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.013.etl", cAlternateFileName="NO3128~1.ETL")) returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2=".") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="..") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="...") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="windows") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="rsa") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="NTDETECT.COM") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="ntldr") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="MSDOS.SYS") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="IO.SYS") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="boot.ini") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="ntuser.dat") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="desktop.ini") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="CONFIG.SYS") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="RECYCLER") returned -1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.163] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="bootmgr") returned 1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="programdata") returned -1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="appdata") returned 1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="program files") returned -1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="program files (x86)") returned -1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="microsoft") returned 1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="sophos") returned -1 [0097.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.164] PathFindExtensionW (pszPath="NotificationUxBroker.013.etl") returned=".etl" [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.164] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.164] lstrcmpiW (lpString1="NotificationUxBroker.013.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.164] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.165] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0097.165] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.165] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0097.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0097.165] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.166] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.167] GetTickCount () returned 0x11597b8 [0097.167] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6f8 [0097.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f8 | out: hHeap=0x2680000) returned 1 [0097.167] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.167] SetLastError (dwErrCode=0x0) [0097.167] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.168] GetLastError () returned 0x0 [0097.168] GetLastError () returned 0x0 [0097.168] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.169] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.169] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.169] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34e76ec5, dwHighDateTime=0x1d5f971)) [0097.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.169] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.169] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.169] GetProcessHeap () returned 0xbc0000 [0097.169] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.169] GetSystemDefaultLangID () returned 0xbd0409 [0097.169] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.169] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.171] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.171] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.171] GetProcessHeap () returned 0xbc0000 [0097.171] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.171] CloseHandle (hObject=0x270) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0097.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.176] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.013.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.013.etl.nefilim")) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.177] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x8f69453d, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0x8f779518, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.014.etl", cAlternateFileName="NO43D2~1.ETL")) returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2=".") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="..") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="...") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="windows") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="rsa") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="NTDETECT.COM") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="ntldr") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="MSDOS.SYS") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="IO.SYS") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="boot.ini") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="ntuser.dat") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="desktop.ini") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="CONFIG.SYS") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="RECYCLER") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="bootmgr") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="programdata") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="appdata") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="program files") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="program files (x86)") returned -1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="microsoft") returned 1 [0097.177] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="sophos") returned -1 [0097.177] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.177] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.177] PathFindExtensionW (pszPath="NotificationUxBroker.014.etl") returned=".etl" [0097.177] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.177] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.177] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.177] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.177] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.178] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.178] lstrcmpiW (lpString1="NotificationUxBroker.014.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.178] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.202] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0097.202] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.202] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0097.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0097.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.202] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.203] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.203] GetTickCount () returned 0x11597e7 [0097.203] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0097.203] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0097.203] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.203] SetLastError (dwErrCode=0x0) [0097.203] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.204] GetLastError () returned 0x0 [0097.204] GetLastError () returned 0x0 [0097.204] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.204] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.204] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.204] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34ee965d, dwHighDateTime=0x1d5f971)) [0097.204] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.204] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.204] GetProcessHeap () returned 0xbc0000 [0097.204] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.204] GetSystemDefaultLangID () returned 0xbd0409 [0097.204] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.205] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.206] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.206] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.206] GetProcessHeap () returned 0xbc0000 [0097.206] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.206] CloseHandle (hObject=0x270) returned 1 [0097.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0097.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0097.211] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.211] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.014.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.014.etl.nefilim")) returned 1 [0097.212] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.212] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.212] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7fb3688d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x7fc1b6b8, ftLastWriteTime.dwHighDateTime=0x1d327b6, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.015.etl", cAlternateFileName="NOTIFI~4.ETL")) returned 1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2=".") returned 1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="..") returned 1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="...") returned 1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="windows") returned -1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="rsa") returned -1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="NTDETECT.COM") returned -1 [0097.212] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="ntldr") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="MSDOS.SYS") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="IO.SYS") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="boot.ini") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="ntuser.dat") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="desktop.ini") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="CONFIG.SYS") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="RECYCLER") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="bootmgr") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="programdata") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="appdata") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="program files") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="program files (x86)") returned -1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="microsoft") returned 1 [0097.213] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="sophos") returned -1 [0097.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.213] PathFindExtensionW (pszPath="NotificationUxBroker.015.etl") returned=".etl" [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.213] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.214] lstrcmpiW (lpString1="NotificationUxBroker.015.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.214] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.214] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.215] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.215] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0097.215] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.215] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.216] GetTickCount () returned 0x11597e7 [0097.216] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0097.216] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0097.216] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.216] SetLastError (dwErrCode=0x0) [0097.216] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.217] GetLastError () returned 0x0 [0097.217] GetLastError () returned 0x0 [0097.217] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.217] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.218] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.218] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34f0f98f, dwHighDateTime=0x1d5f971)) [0097.218] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.218] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.218] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.218] GetProcessHeap () returned 0xbc0000 [0097.218] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.219] GetSystemDefaultLangID () returned 0xbd0409 [0097.219] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.219] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.220] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.220] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.220] GetProcessHeap () returned 0xbc0000 [0097.220] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.220] CloseHandle (hObject=0x270) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.223] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.223] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.015.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.015.etl.nefilim")) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.223] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.223] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0xcb502d29, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xcb5c1a4e, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.016.etl", cAlternateFileName="NOTIFI~3.ETL")) returned 1 [0097.223] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2=".") returned 1 [0097.223] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="..") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="...") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="windows") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="rsa") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="NTDETECT.COM") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="ntldr") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="MSDOS.SYS") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="IO.SYS") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="boot.ini") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="ntuser.dat") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="desktop.ini") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="CONFIG.SYS") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="RECYCLER") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="bootmgr") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="programdata") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="appdata") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="program files") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="program files (x86)") returned -1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="microsoft") returned 1 [0097.224] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="sophos") returned -1 [0097.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.224] PathFindExtensionW (pszPath="NotificationUxBroker.016.etl") returned=".etl" [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.224] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.225] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.225] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.225] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.225] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.225] lstrcmpiW (lpString1="NotificationUxBroker.016.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.225] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.225] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.225] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.226] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.226] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0097.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.226] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.227] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.228] GetTickCount () returned 0x11597f7 [0097.228] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0097.228] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0097.228] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.228] SetLastError (dwErrCode=0x0) [0097.229] WriteFile (in: hFile=0x270, lpBuffer=0x29d1a38*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1a38*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.229] GetLastError () returned 0x0 [0097.229] GetLastError () returned 0x0 [0097.230] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.230] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.230] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.230] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x34f0f98f, dwHighDateTime=0x1d5f971)) [0097.230] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.230] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.230] GetProcessHeap () returned 0xbc0000 [0097.230] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.230] GetSystemDefaultLangID () returned 0xbd0409 [0097.230] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.230] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.231] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.231] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.231] GetProcessHeap () returned 0xbc0000 [0097.231] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.231] CloseHandle (hObject=0x270) returned 1 [0097.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1a38 | out: hHeap=0x2680000) returned 1 [0097.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.233] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.016.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.016.etl.nefilim")) returned 1 [0097.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.342] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b53cfc, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x7b53cfc, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0x8be7d51, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="NotificationUxBroker.017.etl", cAlternateFileName="NOTIFI~1.ETL")) returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2=".") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="..") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="...") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="windows") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="rsa") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="NTDETECT.COM") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="ntldr") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="MSDOS.SYS") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="IO.SYS") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="boot.ini") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="ntuser.dat") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="desktop.ini") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="CONFIG.SYS") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="RECYCLER") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="bootmgr") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="programdata") returned -1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="appdata") returned 1 [0097.342] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="program files") returned -1 [0097.343] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="program files (x86)") returned -1 [0097.343] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="microsoft") returned 1 [0097.343] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="sophos") returned -1 [0097.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0097.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.343] PathFindExtensionW (pszPath="NotificationUxBroker.017.etl") returned=".etl" [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.343] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.343] lstrcmpiW (lpString1="NotificationUxBroker.017.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e370 [0097.343] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.391] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0097.391] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.391] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0097.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0097.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.391] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.392] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.392] GetTickCount () returned 0x11598a2 [0097.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0097.392] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0097.392] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.392] SetLastError (dwErrCode=0x0) [0097.392] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.393] GetLastError () returned 0x0 [0097.393] GetLastError () returned 0x0 [0097.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.393] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.393] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x350b3415, dwHighDateTime=0x1d5f971)) [0097.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0097.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.393] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.393] GetProcessHeap () returned 0xbc0000 [0097.393] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.393] GetSystemDefaultLangID () returned 0xbd0409 [0097.394] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.394] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.395] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.395] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.396] GetProcessHeap () returned 0xbc0000 [0097.396] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.396] CloseHandle (hObject=0x270) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0a8 | out: hHeap=0x2680000) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268df28 | out: hHeap=0x2680000) returned 1 [0097.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.397] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\NotificationUxBroker.017.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\notificationuxbroker.017.etl.nefilim")) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e370 | out: hHeap=0x2680000) returned 1 [0097.397] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2000, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x21006ce2, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x21006ce2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.001.etl", cAlternateFileName="UP2DAF~1.ETL")) returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2=".") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="..") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="...") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="windows") returned -1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="rsa") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="NTDETECT.COM") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="ntldr") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="MSDOS.SYS") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="IO.SYS") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="boot.ini") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="ntuser.dat") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="desktop.ini") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="CONFIG.SYS") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="RECYCLER") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="bootmgr") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="programdata") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="appdata") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="program files") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="program files (x86)") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="microsoft") returned 1 [0097.398] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="sophos") returned 1 [0097.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.398] PathFindExtensionW (pszPath="UpdateSessionOrchestration.001.etl") returned=".etl" [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.398] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.399] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.399] lstrcmpiW (lpString1="UpdateSessionOrchestration.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.399] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0097.399] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=75031468087965748) returned 0 [0097.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0a8 [0097.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268df28 [0097.399] SystemFunction036 (in: RandomBuffer=0x268e0a8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0a8) returned 1 [0097.399] SystemFunction036 (in: RandomBuffer=0x268df28, RandomBufferLength=0x10 | out: RandomBuffer=0x268df28) returned 1 [0097.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1a38 [0097.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1300 [0097.399] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1a38*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.400] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1300*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1300*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.401] GetTickCount () returned 0x11598a2 [0097.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0097.401] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0097.401] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0097.401] SetLastError (dwErrCode=0x0) [0097.401] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1a38, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0) returned 0 [0097.401] GetLastError () returned 0x6 [0097.401] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.401] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcfcbff7d, ftLastAccessTime.dwHighDateTime=0x1d5e7c2, ftLastWriteTime.dwLowDateTime=0xcfcbff7d, ftLastWriteTime.dwHighDateTime=0x1d5e7c2, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.002.etl", cAlternateFileName="UP3884~1.ETL")) returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2=".") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="..") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="...") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="windows") returned -1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="rsa") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="NTDETECT.COM") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="ntldr") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="MSDOS.SYS") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="IO.SYS") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="boot.ini") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="ntuser.dat") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="desktop.ini") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="CONFIG.SYS") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="RECYCLER") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="bootmgr") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="programdata") returned 1 [0097.401] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="appdata") returned 1 [0097.402] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="program files") returned 1 [0097.402] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="program files (x86)") returned 1 [0097.402] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="microsoft") returned 1 [0097.402] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="sophos") returned 1 [0097.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.402] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.402] PathFindExtensionW (pszPath="UpdateSessionOrchestration.002.etl") returned=".etl" [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.402] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.402] lstrcmpiW (lpString1="UpdateSessionOrchestration.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.402] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.402] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.402] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.403] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.403] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0097.403] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.405] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.406] GetTickCount () returned 0x11598b2 [0097.406] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0097.406] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0097.406] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.406] SetLastError (dwErrCode=0x0) [0097.406] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.407] GetLastError () returned 0x0 [0097.407] GetLastError () returned 0x0 [0097.407] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.407] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.407] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.408] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x350d9630, dwHighDateTime=0x1d5f971)) [0097.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.408] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.408] GetProcessHeap () returned 0xbc0000 [0097.408] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.408] GetSystemDefaultLangID () returned 0xbd0409 [0097.408] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.408] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.409] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.409] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.409] GetProcessHeap () returned 0xbc0000 [0097.409] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.410] CloseHandle (hObject=0x270) returned 1 [0097.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0097.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.413] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.413] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.002.etl.nefilim")) returned 1 [0097.414] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.414] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.414] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x917b63d4, ftLastAccessTime.dwHighDateTime=0x1d5d815, ftLastWriteTime.dwLowDateTime=0xb8b481f0, ftLastWriteTime.dwHighDateTime=0x1d5d815, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.003.etl", cAlternateFileName="UP8247~1.ETL")) returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2=".") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="..") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="...") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="windows") returned -1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="rsa") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="NTDETECT.COM") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="ntldr") returned 1 [0097.414] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="MSDOS.SYS") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="IO.SYS") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="boot.ini") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="ntuser.dat") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="desktop.ini") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="CONFIG.SYS") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="RECYCLER") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="bootmgr") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="programdata") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="appdata") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="program files") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="program files (x86)") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="microsoft") returned 1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="sophos") returned 1 [0097.415] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.415] PathFindExtensionW (pszPath="UpdateSessionOrchestration.003.etl") returned=".etl" [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.415] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.415] lstrcmpiW (lpString1="UpdateSessionOrchestration.003.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.416] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.416] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.416] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.416] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0097.416] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0097.416] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.416] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.417] GetTickCount () returned 0x11598b2 [0097.417] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0097.417] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0097.417] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.417] SetLastError (dwErrCode=0x0) [0097.417] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.418] GetLastError () returned 0x0 [0097.418] GetLastError () returned 0x0 [0097.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.418] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.418] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x350d9630, dwHighDateTime=0x1d5f971)) [0097.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.418] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.418] GetProcessHeap () returned 0xbc0000 [0097.418] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.418] GetSystemDefaultLangID () returned 0xbd0409 [0097.418] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.418] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.420] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.420] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.420] GetProcessHeap () returned 0xbc0000 [0097.420] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.420] CloseHandle (hObject=0x270) returned 1 [0097.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0097.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0097.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.421] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.003.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.003.etl.nefilim")) returned 1 [0097.422] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.422] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.422] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x150f0f86, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x39296693, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.004.etl", cAlternateFileName="UPD2FC~1.ETL")) returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2=".") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="..") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="...") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="windows") returned -1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="rsa") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="NTDETECT.COM") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="ntldr") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="MSDOS.SYS") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="IO.SYS") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="boot.ini") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="ntuser.dat") returned 1 [0097.422] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="desktop.ini") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="CONFIG.SYS") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="RECYCLER") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="bootmgr") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="programdata") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="appdata") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="program files") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="program files (x86)") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="microsoft") returned 1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="sophos") returned 1 [0097.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.423] PathFindExtensionW (pszPath="UpdateSessionOrchestration.004.etl") returned=".etl" [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.423] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.423] lstrcmpiW (lpString1="UpdateSessionOrchestration.004.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.423] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.424] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.424] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.424] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0097.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.424] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.424] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.425] GetTickCount () returned 0x11598c2 [0097.425] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0097.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0097.425] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.425] SetLastError (dwErrCode=0x0) [0097.425] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.426] GetLastError () returned 0x0 [0097.426] GetLastError () returned 0x0 [0097.426] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.426] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.427] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.427] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x350ff653, dwHighDateTime=0x1d5f971)) [0097.427] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.427] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.427] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.427] GetProcessHeap () returned 0xbc0000 [0097.427] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.428] GetSystemDefaultLangID () returned 0xbd0409 [0097.428] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.428] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.484] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.484] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.484] GetProcessHeap () returned 0xbc0000 [0097.484] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.484] CloseHandle (hObject=0x270) returned 1 [0097.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0097.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.495] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.495] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.004.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.004.etl.nefilim")) returned 1 [0097.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.496] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1f83bc0, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x32ea756e, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.005.etl", cAlternateFileName="UPB784~1.ETL")) returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2=".") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="..") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="...") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="windows") returned -1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="rsa") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="NTDETECT.COM") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="ntldr") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="MSDOS.SYS") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="IO.SYS") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="boot.ini") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="ntuser.dat") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="desktop.ini") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="CONFIG.SYS") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="RECYCLER") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="bootmgr") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="programdata") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="appdata") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="program files") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="program files (x86)") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="microsoft") returned 1 [0097.496] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="sophos") returned 1 [0097.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.496] PathFindExtensionW (pszPath="UpdateSessionOrchestration.005.etl") returned=".etl" [0097.496] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.496] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.496] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.497] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.497] lstrcmpiW (lpString1="UpdateSessionOrchestration.005.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.497] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.497] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.497] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.497] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0097.497] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.499] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.500] GetTickCount () returned 0x1159910 [0097.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0097.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0097.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.500] SetLastError (dwErrCode=0x0) [0097.500] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.501] GetLastError () returned 0x0 [0097.501] GetLastError () returned 0x0 [0097.501] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.501] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.501] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.501] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x351be31c, dwHighDateTime=0x1d5f971)) [0097.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.501] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.502] GetProcessHeap () returned 0xbc0000 [0097.502] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.502] GetSystemDefaultLangID () returned 0xbd0409 [0097.502] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.502] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.503] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.503] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.503] GetProcessHeap () returned 0xbc0000 [0097.503] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.503] CloseHandle (hObject=0x270) returned 1 [0097.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0097.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.506] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.506] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.005.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.005.etl.nefilim")) returned 1 [0097.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.507] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfdc37a18, ftLastAccessTime.dwHighDateTime=0x1d5d80e, ftLastWriteTime.dwLowDateTime=0x290206fd, ftLastWriteTime.dwHighDateTime=0x1d5d80f, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.006.etl", cAlternateFileName="UP7D55~1.ETL")) returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2=".") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="..") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="...") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="windows") returned -1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="rsa") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="NTDETECT.COM") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="ntldr") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="MSDOS.SYS") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="IO.SYS") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="boot.ini") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="ntuser.dat") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="desktop.ini") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="CONFIG.SYS") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="RECYCLER") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="bootmgr") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="programdata") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="appdata") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="program files") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="program files (x86)") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="microsoft") returned 1 [0097.507] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="sophos") returned 1 [0097.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.507] PathFindExtensionW (pszPath="UpdateSessionOrchestration.006.etl") returned=".etl" [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.508] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.508] lstrcmpiW (lpString1="UpdateSessionOrchestration.006.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.508] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.508] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0097.508] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.508] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0097.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0097.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.508] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.509] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.509] GetTickCount () returned 0x1159910 [0097.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0097.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0097.509] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.509] SetLastError (dwErrCode=0x0) [0097.509] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.510] GetLastError () returned 0x0 [0097.510] GetLastError () returned 0x0 [0097.510] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.510] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.510] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.511] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x351be31c, dwHighDateTime=0x1d5f971)) [0097.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.511] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.511] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.511] GetProcessHeap () returned 0xbc0000 [0097.511] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.511] GetSystemDefaultLangID () returned 0xbd0409 [0097.511] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.511] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.512] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.512] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.513] GetProcessHeap () returned 0xbc0000 [0097.513] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.513] CloseHandle (hObject=0x270) returned 1 [0097.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0097.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0097.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.514] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.006.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.006.etl.nefilim")) returned 1 [0097.515] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.515] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.515] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8a5979b2, ftLastAccessTime.dwHighDateTime=0x1d5d80d, ftLastWriteTime.dwLowDateTime=0x8a5979b2, ftLastWriteTime.dwHighDateTime=0x1d5d80d, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.007.etl", cAlternateFileName="UP52FC~1.ETL")) returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2=".") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="..") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="...") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="windows") returned -1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="rsa") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="NTDETECT.COM") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="ntldr") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="MSDOS.SYS") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="IO.SYS") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="boot.ini") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="ntuser.dat") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="desktop.ini") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="CONFIG.SYS") returned 1 [0097.515] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="RECYCLER") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="bootmgr") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="programdata") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="appdata") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="program files") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="program files (x86)") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="microsoft") returned 1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="sophos") returned 1 [0097.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.516] PathFindExtensionW (pszPath="UpdateSessionOrchestration.007.etl") returned=".etl" [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.516] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.516] lstrcmpiW (lpString1="UpdateSessionOrchestration.007.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.516] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.516] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=4096) returned 1 [0097.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.517] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.517] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0097.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0097.517] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.517] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.518] GetTickCount () returned 0x115991f [0097.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0097.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0097.518] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.518] SetLastError (dwErrCode=0x0) [0097.518] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.519] GetLastError () returned 0x0 [0097.519] GetLastError () returned 0x0 [0097.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.519] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.519] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.519] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x351e475d, dwHighDateTime=0x1d5f971)) [0097.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.519] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.519] GetProcessHeap () returned 0xbc0000 [0097.519] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1000) returned 0xbf2638 [0097.520] GetSystemDefaultLangID () returned 0xbd0409 [0097.520] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.520] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1000, lpOverlapped=0x0) returned 1 [0097.622] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.622] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1000, lpOverlapped=0x0) returned 1 [0097.622] GetProcessHeap () returned 0xbc0000 [0097.622] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.622] CloseHandle (hObject=0x270) returned 1 [0097.623] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0097.623] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0097.623] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.623] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.623] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.623] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.007.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.007.etl.nefilim")) returned 1 [0097.624] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.624] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.624] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcbc9fc38, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xefa43826, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.008.etl", cAlternateFileName="UPA721~1.ETL")) returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2=".") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="..") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="...") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="windows") returned -1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="rsa") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="NTDETECT.COM") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="ntldr") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="MSDOS.SYS") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="IO.SYS") returned 1 [0097.624] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="boot.ini") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="ntuser.dat") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="desktop.ini") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="CONFIG.SYS") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="RECYCLER") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="bootmgr") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="programdata") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="appdata") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="program files") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="program files (x86)") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="microsoft") returned 1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="sophos") returned 1 [0097.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.625] PathFindExtensionW (pszPath="UpdateSessionOrchestration.008.etl") returned=".etl" [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.625] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.625] lstrcmpiW (lpString1="UpdateSessionOrchestration.008.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.625] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.626] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.626] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.626] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0097.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0097.626] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.627] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.628] GetTickCount () returned 0x115998d [0097.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0097.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0097.628] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.628] SetLastError (dwErrCode=0x0) [0097.628] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.629] GetLastError () returned 0x0 [0097.629] GetLastError () returned 0x0 [0097.629] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.629] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.629] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.629] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x352ef608, dwHighDateTime=0x1d5f971)) [0097.629] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.630] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.630] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.630] GetProcessHeap () returned 0xbc0000 [0097.630] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.630] GetSystemDefaultLangID () returned 0xbd0409 [0097.630] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.630] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.631] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.631] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.631] GetProcessHeap () returned 0xbc0000 [0097.631] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.631] CloseHandle (hObject=0x270) returned 1 [0097.638] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0097.638] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0097.638] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.638] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.638] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.638] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.008.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.008.etl.nefilim")) returned 1 [0097.640] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.640] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.640] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf1e2e9c9, ftLastAccessTime.dwHighDateTime=0x1d5d80b, ftLastWriteTime.dwLowDateTime=0x1ca46d4f, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.009.etl", cAlternateFileName="UPFC55~1.ETL")) returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2=".") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="..") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="...") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="windows") returned -1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="rsa") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="NTDETECT.COM") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="ntldr") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="MSDOS.SYS") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="IO.SYS") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="boot.ini") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="ntuser.dat") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="desktop.ini") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="CONFIG.SYS") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="RECYCLER") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="bootmgr") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="programdata") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="appdata") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="program files") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="program files (x86)") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="microsoft") returned 1 [0097.640] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="sophos") returned 1 [0097.640] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.640] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.640] PathFindExtensionW (pszPath="UpdateSessionOrchestration.009.etl") returned=".etl" [0097.640] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.641] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.641] lstrcmpiW (lpString1="UpdateSessionOrchestration.009.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.641] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.641] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.641] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.641] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.641] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.641] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.641] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.641] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.642] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.642] GetTickCount () returned 0x115999c [0097.642] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6f8 [0097.642] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f8 | out: hHeap=0x2680000) returned 1 [0097.642] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.642] SetLastError (dwErrCode=0x0) [0097.642] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.643] GetLastError () returned 0x0 [0097.643] GetLastError () returned 0x0 [0097.643] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.643] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.643] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.643] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3531578f, dwHighDateTime=0x1d5f971)) [0097.643] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.643] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.643] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.643] GetProcessHeap () returned 0xbc0000 [0097.643] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.643] GetSystemDefaultLangID () returned 0xbd0409 [0097.643] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.644] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.645] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.645] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.645] GetProcessHeap () returned 0xbc0000 [0097.645] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.645] CloseHandle (hObject=0x270) returned 1 [0097.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0097.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.648] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.648] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.648] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.009.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.009.etl.nefilim")) returned 1 [0097.649] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.649] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.649] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xf7e12839, ftLastAccessTime.dwHighDateTime=0x1d5d805, ftLastWriteTime.dwLowDateTime=0x26688c0b, ftLastWriteTime.dwHighDateTime=0x1d5d806, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.010.etl", cAlternateFileName="UPB13B~1.ETL")) returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2=".") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="..") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="...") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="windows") returned -1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="rsa") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="NTDETECT.COM") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="ntldr") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="MSDOS.SYS") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="IO.SYS") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="boot.ini") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="ntuser.dat") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="desktop.ini") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="CONFIG.SYS") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="RECYCLER") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.649] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="bootmgr") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="programdata") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="appdata") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="program files") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="program files (x86)") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="microsoft") returned 1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="sophos") returned 1 [0097.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.650] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.650] PathFindExtensionW (pszPath="UpdateSessionOrchestration.010.etl") returned=".etl" [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.650] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.650] lstrcmpiW (lpString1="UpdateSessionOrchestration.010.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.650] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.650] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.650] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.651] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.651] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.651] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.651] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0097.651] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.651] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.651] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.652] GetTickCount () returned 0x115999c [0097.652] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0097.652] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0097.652] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.652] SetLastError (dwErrCode=0x0) [0097.652] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.653] GetLastError () returned 0x0 [0097.653] GetLastError () returned 0x0 [0097.653] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.653] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.653] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.653] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3531578f, dwHighDateTime=0x1d5f971)) [0097.653] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.653] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.653] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.653] GetProcessHeap () returned 0xbc0000 [0097.653] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.654] GetSystemDefaultLangID () returned 0xbd0409 [0097.654] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.654] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.689] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.689] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.689] GetProcessHeap () returned 0xbc0000 [0097.689] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.689] CloseHandle (hObject=0x270) returned 1 [0097.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0097.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.692] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.010.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.010.etl.nefilim")) returned 1 [0097.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.693] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xde371631, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x2bb800e, ftLastWriteTime.dwHighDateTime=0x1d47c36, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.011.etl", cAlternateFileName="UP076F~1.ETL")) returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2=".") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="..") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="...") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="windows") returned -1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="rsa") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="NTDETECT.COM") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="ntldr") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="MSDOS.SYS") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="IO.SYS") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="boot.ini") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.693] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="ntuser.dat") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="desktop.ini") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="CONFIG.SYS") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="RECYCLER") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="bootmgr") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="programdata") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="appdata") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="program files") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="program files (x86)") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="microsoft") returned 1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="sophos") returned 1 [0097.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.694] PathFindExtensionW (pszPath="UpdateSessionOrchestration.011.etl") returned=".etl" [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.694] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.694] lstrcmpiW (lpString1="UpdateSessionOrchestration.011.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.694] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.695] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.695] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.695] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0097.695] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.696] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.697] GetTickCount () returned 0x11599cb [0097.697] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0097.697] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0097.697] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.697] SetLastError (dwErrCode=0x0) [0097.697] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.698] GetLastError () returned 0x0 [0097.698] GetLastError () returned 0x0 [0097.698] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.698] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.698] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.698] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35388098, dwHighDateTime=0x1d5f971)) [0097.698] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.698] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.699] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.699] GetProcessHeap () returned 0xbc0000 [0097.699] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.699] GetSystemDefaultLangID () returned 0xbd0409 [0097.699] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.699] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.700] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.700] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.700] GetProcessHeap () returned 0xbc0000 [0097.700] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.700] CloseHandle (hObject=0x270) returned 1 [0097.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0097.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.701] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.701] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.011.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.011.etl.nefilim")) returned 1 [0097.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.702] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2a522d7b, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0x4e6dab1f, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.012.etl", cAlternateFileName="UPEBF6~1.ETL")) returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2=".") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="..") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="...") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="windows") returned -1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="rsa") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="NTDETECT.COM") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="ntldr") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="MSDOS.SYS") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="IO.SYS") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="boot.ini") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="ntuser.dat") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="desktop.ini") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="CONFIG.SYS") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="RECYCLER") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="bootmgr") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="programdata") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="appdata") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="program files") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="program files (x86)") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="microsoft") returned 1 [0097.702] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="sophos") returned 1 [0097.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.702] PathFindExtensionW (pszPath="UpdateSessionOrchestration.012.etl") returned=".etl" [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.702] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.703] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.703] lstrcmpiW (lpString1="UpdateSessionOrchestration.012.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.703] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.703] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.703] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.703] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0097.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.703] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.704] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.704] GetTickCount () returned 0x11599db [0097.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0097.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0097.704] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.704] SetLastError (dwErrCode=0x0) [0097.704] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.705] GetLastError () returned 0x0 [0097.705] GetLastError () returned 0x0 [0097.705] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.705] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.705] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.705] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x353ae03b, dwHighDateTime=0x1d5f971)) [0097.705] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.705] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.705] GetProcessHeap () returned 0xbc0000 [0097.705] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.705] GetSystemDefaultLangID () returned 0xbd0409 [0097.705] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.705] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.706] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.706] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.707] GetProcessHeap () returned 0xbc0000 [0097.707] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.707] CloseHandle (hObject=0x270) returned 1 [0097.707] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0097.707] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.707] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.707] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.707] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.707] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.012.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.012.etl.nefilim")) returned 1 [0097.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.708] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x2cbb43aa, ftLastAccessTime.dwHighDateTime=0x1d47c34, ftLastWriteTime.dwLowDateTime=0x5454d5b0, ftLastWriteTime.dwHighDateTime=0x1d47c34, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.013.etl", cAlternateFileName="UP8DEE~1.ETL")) returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2=".") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="..") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="...") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="windows") returned -1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="rsa") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="NTDETECT.COM") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="ntldr") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="MSDOS.SYS") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="IO.SYS") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="boot.ini") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="ntuser.dat") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="desktop.ini") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="CONFIG.SYS") returned 1 [0097.708] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="RECYCLER") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="bootmgr") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="programdata") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="appdata") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="program files") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="program files (x86)") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="microsoft") returned 1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="sophos") returned 1 [0097.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.709] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.709] PathFindExtensionW (pszPath="UpdateSessionOrchestration.013.etl") returned=".etl" [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.709] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.709] lstrcmpiW (lpString1="UpdateSessionOrchestration.013.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.709] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.709] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.710] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.710] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0097.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.710] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.710] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.711] GetTickCount () returned 0x11599db [0097.711] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0097.711] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0097.711] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.711] SetLastError (dwErrCode=0x0) [0097.711] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.712] GetLastError () returned 0x0 [0097.712] GetLastError () returned 0x0 [0097.712] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.712] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.712] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.712] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x353ae03b, dwHighDateTime=0x1d5f971)) [0097.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.712] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.712] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.712] GetProcessHeap () returned 0xbc0000 [0097.712] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.713] GetSystemDefaultLangID () returned 0xbd0409 [0097.713] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.713] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.714] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.715] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.715] GetProcessHeap () returned 0xbc0000 [0097.715] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.715] CloseHandle (hObject=0x270) returned 1 [0097.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0097.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.768] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.013.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.013.etl.nefilim")) returned 1 [0097.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.768] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x60de6047, ftLastAccessTime.dwHighDateTime=0x1d47c33, ftLastWriteTime.dwLowDateTime=0x60de6047, ftLastWriteTime.dwHighDateTime=0x1d47c33, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.014.etl", cAlternateFileName="UP38BA~1.ETL")) returned 1 [0097.768] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2=".") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="..") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="...") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="windows") returned -1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="rsa") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="NTDETECT.COM") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="ntldr") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="MSDOS.SYS") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="IO.SYS") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="boot.ini") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="ntuser.dat") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="desktop.ini") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="CONFIG.SYS") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="RECYCLER") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="bootmgr") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="programdata") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="appdata") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="program files") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="program files (x86)") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="microsoft") returned 1 [0097.769] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="sophos") returned 1 [0097.769] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.769] PathFindExtensionW (pszPath="UpdateSessionOrchestration.014.etl") returned=".etl" [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.769] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.770] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.770] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.770] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.770] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.770] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.770] lstrcmpiW (lpString1="UpdateSessionOrchestration.014.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.770] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.770] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=4096) returned 1 [0097.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0097.770] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.770] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0097.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0097.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0097.770] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.771] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.773] GetTickCount () returned 0x1159a19 [0097.773] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0097.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0097.773] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.773] SetLastError (dwErrCode=0x0) [0097.773] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.774] GetLastError () returned 0x0 [0097.774] GetLastError () returned 0x0 [0097.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.774] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.774] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35446b39, dwHighDateTime=0x1d5f971)) [0097.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.774] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.774] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.774] GetProcessHeap () returned 0xbc0000 [0097.774] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1000) returned 0xbf2638 [0097.774] GetSystemDefaultLangID () returned 0xbd0409 [0097.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.774] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1000, lpOverlapped=0x0) returned 1 [0097.775] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.775] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1000, lpOverlapped=0x0) returned 1 [0097.775] GetProcessHeap () returned 0xbc0000 [0097.775] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.775] CloseHandle (hObject=0x270) returned 1 [0097.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0097.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0097.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0097.777] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.777] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.014.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.014.etl.nefilim")) returned 1 [0097.778] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.778] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.778] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa72ae253, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0xcb3f3780, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.015.etl", cAlternateFileName="UPE286~1.ETL")) returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2=".") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="..") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="...") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="windows") returned -1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="rsa") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="NTDETECT.COM") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="ntldr") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="MSDOS.SYS") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="IO.SYS") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="boot.ini") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="ntuser.dat") returned 1 [0097.778] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="desktop.ini") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="CONFIG.SYS") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="RECYCLER") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="bootmgr") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="programdata") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="appdata") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="program files") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="program files (x86)") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="microsoft") returned 1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="sophos") returned 1 [0097.779] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.779] PathFindExtensionW (pszPath="UpdateSessionOrchestration.015.etl") returned=".etl" [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.779] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.779] lstrcmpiW (lpString1="UpdateSessionOrchestration.015.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.779] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.779] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.780] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.780] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.780] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0097.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0097.780] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.780] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.780] GetTickCount () returned 0x1159a29 [0097.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0097.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0097.780] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.780] SetLastError (dwErrCode=0x0) [0097.781] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.781] GetLastError () returned 0x0 [0097.781] GetLastError () returned 0x0 [0097.781] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.781] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.782] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.782] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3546cdf1, dwHighDateTime=0x1d5f971)) [0097.782] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.782] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.782] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.782] GetProcessHeap () returned 0xbc0000 [0097.782] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.782] GetSystemDefaultLangID () returned 0xbd0409 [0097.782] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.782] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.783] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.783] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.783] GetProcessHeap () returned 0xbc0000 [0097.783] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.783] CloseHandle (hObject=0x270) returned 1 [0097.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0097.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0097.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.784] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.784] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.015.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.015.etl.nefilim")) returned 1 [0097.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.785] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x5ca8efbc, ftLastAccessTime.dwHighDateTime=0x1d47c32, ftLastWriteTime.dwLowDateTime=0x8784f695, ftLastWriteTime.dwHighDateTime=0x1d47c32, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.016.etl", cAlternateFileName="UP9D42~1.ETL")) returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2=".") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="..") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="...") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="windows") returned -1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="rsa") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="NTDETECT.COM") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="ntldr") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="MSDOS.SYS") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="IO.SYS") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="boot.ini") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="ntuser.dat") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="desktop.ini") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="CONFIG.SYS") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="RECYCLER") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="bootmgr") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="programdata") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="appdata") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="program files") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="program files (x86)") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="microsoft") returned 1 [0097.785] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="sophos") returned 1 [0097.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.786] PathFindExtensionW (pszPath="UpdateSessionOrchestration.016.etl") returned=".etl" [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.786] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.786] lstrcmpiW (lpString1="UpdateSessionOrchestration.016.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.786] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.786] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.786] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.786] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0097.787] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.787] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.788] GetTickCount () returned 0x1159a29 [0097.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0097.788] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0097.788] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.788] SetLastError (dwErrCode=0x0) [0097.788] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.789] GetLastError () returned 0x0 [0097.789] GetLastError () returned 0x0 [0097.789] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.789] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.789] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.789] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3546cdf1, dwHighDateTime=0x1d5f971)) [0097.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.789] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.789] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.789] GetProcessHeap () returned 0xbc0000 [0097.789] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.790] GetSystemDefaultLangID () returned 0xbd0409 [0097.790] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.790] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.792] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.792] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.792] GetProcessHeap () returned 0xbc0000 [0097.792] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.792] CloseHandle (hObject=0x270) returned 1 [0097.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0097.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.793] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.793] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.016.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.016.etl.nefilim")) returned 1 [0097.796] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.796] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.796] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x4346f4fe, ftLastAccessTime.dwHighDateTime=0x1d41dc4, ftLastWriteTime.dwLowDateTime=0x4346f4fe, ftLastWriteTime.dwHighDateTime=0x1d41dc4, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.017.etl", cAlternateFileName="UPB8BA~1.ETL")) returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2=".") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="..") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="...") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="windows") returned -1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="rsa") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="NTDETECT.COM") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="ntldr") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="MSDOS.SYS") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="IO.SYS") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="boot.ini") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="ntuser.dat") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="desktop.ini") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="CONFIG.SYS") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="RECYCLER") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="bootmgr") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="programdata") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="appdata") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="program files") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="program files (x86)") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="microsoft") returned 1 [0097.796] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="sophos") returned 1 [0097.796] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.796] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.797] PathFindExtensionW (pszPath="UpdateSessionOrchestration.017.etl") returned=".etl" [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.797] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.797] lstrcmpiW (lpString1="UpdateSessionOrchestration.017.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.797] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.797] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.797] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.797] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0097.797] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.799] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.800] GetTickCount () returned 0x1159a39 [0097.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e500 [0097.800] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e500 | out: hHeap=0x2680000) returned 1 [0097.800] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.800] SetLastError (dwErrCode=0x0) [0097.800] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.801] GetLastError () returned 0x0 [0097.801] GetLastError () returned 0x0 [0097.801] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.801] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.801] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.801] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35492ee6, dwHighDateTime=0x1d5f971)) [0097.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.801] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.801] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.801] GetProcessHeap () returned 0xbc0000 [0097.801] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.801] GetSystemDefaultLangID () returned 0xbd0409 [0097.801] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.801] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.847] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.847] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.847] GetProcessHeap () returned 0xbc0000 [0097.847] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.847] CloseHandle (hObject=0x270) returned 1 [0097.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0097.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.849] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.849] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.017.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.017.etl.nefilim")) returned 1 [0097.850] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.850] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.850] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x745a10f, ftLastAccessTime.dwHighDateTime=0x1d3aafc, ftLastWriteTime.dwLowDateTime=0x318cac0d, ftLastWriteTime.dwHighDateTime=0x1d3aafc, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.018.etl", cAlternateFileName="UPAC79~1.ETL")) returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2=".") returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="..") returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="...") returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="windows") returned -1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="rsa") returned 1 [0097.850] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="NTDETECT.COM") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="ntldr") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="MSDOS.SYS") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="IO.SYS") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="boot.ini") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="ntuser.dat") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="desktop.ini") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="CONFIG.SYS") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="RECYCLER") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="bootmgr") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="programdata") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="appdata") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="program files") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="program files (x86)") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="microsoft") returned 1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="sophos") returned 1 [0097.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.851] PathFindExtensionW (pszPath="UpdateSessionOrchestration.018.etl") returned=".etl" [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.851] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.851] lstrcmpiW (lpString1="UpdateSessionOrchestration.018.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.852] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.852] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.852] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.852] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0097.852] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.852] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.853] GetTickCount () returned 0x1159a68 [0097.853] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0097.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0097.853] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.853] SetLastError (dwErrCode=0x0) [0097.853] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.854] GetLastError () returned 0x0 [0097.854] GetLastError () returned 0x0 [0097.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.854] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.854] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x355057f6, dwHighDateTime=0x1d5f971)) [0097.854] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.854] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.854] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.854] GetProcessHeap () returned 0xbc0000 [0097.854] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.854] GetSystemDefaultLangID () returned 0xbd0409 [0097.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.854] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0097.855] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.856] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0097.856] GetProcessHeap () returned 0xbc0000 [0097.856] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.856] CloseHandle (hObject=0x270) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.857] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.857] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.018.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.018.etl.nefilim")) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.857] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd59be406, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0xd59be406, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.019.etl", cAlternateFileName="UP1E42~1.ETL")) returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2=".") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="..") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="...") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="windows") returned -1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="rsa") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="NTDETECT.COM") returned 1 [0097.857] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="ntldr") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="MSDOS.SYS") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="IO.SYS") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="boot.ini") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="ntuser.dat") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="desktop.ini") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="CONFIG.SYS") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="RECYCLER") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="bootmgr") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="programdata") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="appdata") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="program files") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="program files (x86)") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="microsoft") returned 1 [0097.858] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="sophos") returned 1 [0097.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.858] PathFindExtensionW (pszPath="UpdateSessionOrchestration.019.etl") returned=".etl" [0097.858] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.858] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.858] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.858] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.859] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.859] lstrcmpiW (lpString1="UpdateSessionOrchestration.019.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.859] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.859] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=4096) returned 1 [0097.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.859] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.859] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0097.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0097.859] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.860] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.861] GetTickCount () returned 0x1159a77 [0097.861] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0097.861] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0097.861] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.861] SetLastError (dwErrCode=0x0) [0097.861] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.862] GetLastError () returned 0x0 [0097.862] GetLastError () returned 0x0 [0097.862] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.862] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.862] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.862] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3552bb12, dwHighDateTime=0x1d5f971)) [0097.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.862] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.862] GetProcessHeap () returned 0xbc0000 [0097.862] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1000) returned 0xbf2638 [0097.863] GetSystemDefaultLangID () returned 0xbd0409 [0097.863] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.863] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1000, lpOverlapped=0x0) returned 1 [0097.864] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.864] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1000, lpOverlapped=0x0) returned 1 [0097.864] GetProcessHeap () returned 0xbc0000 [0097.864] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.864] CloseHandle (hObject=0x270) returned 1 [0097.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0097.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0097.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0097.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.869] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.019.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.019.etl.nefilim")) returned 1 [0097.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.870] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x198319d2, ftLastAccessTime.dwHighDateTime=0x1d39f5e, ftLastWriteTime.dwLowDateTime=0x3f449663, ftLastWriteTime.dwHighDateTime=0x1d39f5e, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.020.etl", cAlternateFileName="UP597C~1.ETL")) returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2=".") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="..") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="...") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="windows") returned -1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="rsa") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="NTDETECT.COM") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="ntldr") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="MSDOS.SYS") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="IO.SYS") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="boot.ini") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="ntuser.dat") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="desktop.ini") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="CONFIG.SYS") returned 1 [0097.870] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="RECYCLER") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="bootmgr") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="programdata") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="appdata") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="program files") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="program files (x86)") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="microsoft") returned 1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="sophos") returned 1 [0097.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.871] PathFindExtensionW (pszPath="UpdateSessionOrchestration.020.etl") returned=".etl" [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.871] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.871] lstrcmpiW (lpString1="UpdateSessionOrchestration.020.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.871] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.872] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0097.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0097.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.872] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0097.872] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0097.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.872] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.873] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.875] GetTickCount () returned 0x1159a87 [0097.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e500 [0097.875] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e500 | out: hHeap=0x2680000) returned 1 [0097.875] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.875] SetLastError (dwErrCode=0x0) [0097.875] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.876] GetLastError () returned 0x0 [0097.876] GetLastError () returned 0x0 [0097.876] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.876] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.876] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.876] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35551cb5, dwHighDateTime=0x1d5f971)) [0097.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.876] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.876] GetProcessHeap () returned 0xbc0000 [0097.876] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0097.876] GetSystemDefaultLangID () returned 0xbd0409 [0097.876] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.876] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0097.878] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.878] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0097.878] GetProcessHeap () returned 0xbc0000 [0097.878] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0097.878] CloseHandle (hObject=0x270) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0097.879] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0097.879] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.020.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.020.etl.nefilim")) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0097.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0097.879] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1c505b8c, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x58b60423, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.021.etl", cAlternateFileName="UP0CB7~1.ETL")) returned 1 [0097.879] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2=".") returned 1 [0097.879] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="..") returned 1 [0097.879] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="...") returned 1 [0097.879] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="windows") returned -1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="$RECYCLE.BIN") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="rsa") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="NTDETECT.COM") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="ntldr") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="MSDOS.SYS") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="IO.SYS") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="boot.ini") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="AUTOEXEC.BAT") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="ntuser.dat") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="desktop.ini") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="CONFIG.SYS") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="RECYCLER") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="BOOTSECT.BAK") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="bootmgr") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="programdata") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="appdata") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="program files") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="program files (x86)") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="microsoft") returned 1 [0097.880] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="sophos") returned 1 [0097.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0097.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0097.880] PathFindExtensionW (pszPath="UpdateSessionOrchestration.021.etl") returned=".etl" [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0097.880] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0097.881] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0097.881] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0097.881] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0097.881] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0097.881] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0097.881] lstrcmpiW (lpString1="UpdateSessionOrchestration.021.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0097.881] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0097.881] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0097.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0097.881] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0097.881] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0097.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0097.881] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0097.881] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0097.881] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0097.882] GetTickCount () returned 0x1159a87 [0097.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0097.882] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0097.882] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.882] SetLastError (dwErrCode=0x0) [0097.882] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.883] GetLastError () returned 0x0 [0097.883] GetLastError () returned 0x0 [0097.883] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.883] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0097.883] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.883] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35551cb5, dwHighDateTime=0x1d5f971)) [0097.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0097.883] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0097.883] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0097.883] GetProcessHeap () returned 0xbc0000 [0097.883] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0097.883] GetSystemDefaultLangID () returned 0xbd0409 [0097.883] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0097.883] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0098.001] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.001] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0098.001] GetProcessHeap () returned 0xbc0000 [0098.001] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.001] CloseHandle (hObject=0x270) returned 1 [0098.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0098.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.002] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.021.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.021.etl.nefilim")) returned 1 [0098.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.003] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xdaf93ab4, ftLastAccessTime.dwHighDateTime=0x1d38c43, ftLastWriteTime.dwLowDateTime=0x87be9f6, ftLastWriteTime.dwHighDateTime=0x1d38c44, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.022.etl", cAlternateFileName="UPBE04~1.ETL")) returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2=".") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="..") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="...") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="windows") returned -1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="rsa") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="NTDETECT.COM") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="ntldr") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="MSDOS.SYS") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="IO.SYS") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="boot.ini") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="ntuser.dat") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="desktop.ini") returned 1 [0098.003] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="CONFIG.SYS") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="RECYCLER") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="bootmgr") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="programdata") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="appdata") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="program files") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="program files (x86)") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="microsoft") returned 1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="sophos") returned 1 [0098.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.004] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.004] PathFindExtensionW (pszPath="UpdateSessionOrchestration.022.etl") returned=".etl" [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.004] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.004] lstrcmpiW (lpString1="UpdateSessionOrchestration.022.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.004] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.004] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.005] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0098.005] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.005] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.005] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.005] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.005] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0098.005] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0098.005] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.005] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.006] GetTickCount () returned 0x1159b04 [0098.006] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0098.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0098.006] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.006] SetLastError (dwErrCode=0x0) [0098.006] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.007] GetLastError () returned 0x0 [0098.007] GetLastError () returned 0x0 [0098.007] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.007] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.007] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.007] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35682cc0, dwHighDateTime=0x1d5f971)) [0098.007] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.007] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.007] GetProcessHeap () returned 0xbc0000 [0098.007] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0098.008] GetSystemDefaultLangID () returned 0xbd0409 [0098.008] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.008] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0098.010] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.010] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0098.010] GetProcessHeap () returned 0xbc0000 [0098.010] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.010] CloseHandle (hObject=0x270) returned 1 [0098.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0098.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0098.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.011] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.011] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.022.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.022.etl.nefilim")) returned 1 [0098.012] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.012] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.012] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1977635c, ftLastAccessTime.dwHighDateTime=0x1d35e03, ftLastWriteTime.dwLowDateTime=0x1977635c, ftLastWriteTime.dwHighDateTime=0x1d35e03, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.023.etl", cAlternateFileName="UPA620~1.ETL")) returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2=".") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="..") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="...") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="windows") returned -1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="rsa") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="NTDETECT.COM") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="ntldr") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="MSDOS.SYS") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="IO.SYS") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="boot.ini") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="ntuser.dat") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="desktop.ini") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="CONFIG.SYS") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="RECYCLER") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="bootmgr") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="programdata") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="appdata") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="program files") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="program files (x86)") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="microsoft") returned 1 [0098.012] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="sophos") returned 1 [0098.012] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.012] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.012] PathFindExtensionW (pszPath="UpdateSessionOrchestration.023.etl") returned=".etl" [0098.012] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.013] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.013] lstrcmpiW (lpString1="UpdateSessionOrchestration.023.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.013] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.013] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0098.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.013] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0098.013] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0098.013] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.015] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.016] GetTickCount () returned 0x1159b13 [0098.016] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0098.016] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0098.016] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.016] SetLastError (dwErrCode=0x0) [0098.016] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.017] GetLastError () returned 0x0 [0098.017] GetLastError () returned 0x0 [0098.017] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.017] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.017] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.017] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x356a9167, dwHighDateTime=0x1d5f971)) [0098.017] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.017] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.017] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.017] GetProcessHeap () returned 0xbc0000 [0098.017] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.017] GetSystemDefaultLangID () returned 0xbd0409 [0098.017] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.017] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.018] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.018] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.019] GetProcessHeap () returned 0xbc0000 [0098.019] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.019] CloseHandle (hObject=0x270) returned 1 [0098.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0098.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0098.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.019] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.023.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.023.etl.nefilim")) returned 1 [0098.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.020] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.020] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfc820227, ftLastAccessTime.dwHighDateTime=0x1d3375a, ftLastWriteTime.dwLowDateTime=0x2521b8a4, ftLastWriteTime.dwHighDateTime=0x1d3375b, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.024.etl", cAlternateFileName="UP14AB~1.ETL")) returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2=".") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="..") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="...") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="windows") returned -1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="rsa") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="NTDETECT.COM") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="ntldr") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="MSDOS.SYS") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="IO.SYS") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="boot.ini") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="ntuser.dat") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="desktop.ini") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="CONFIG.SYS") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="RECYCLER") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="bootmgr") returned 1 [0098.020] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="programdata") returned 1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="appdata") returned 1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="program files") returned 1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="program files (x86)") returned 1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="microsoft") returned 1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="sophos") returned 1 [0098.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.021] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.021] PathFindExtensionW (pszPath="UpdateSessionOrchestration.024.etl") returned=".etl" [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.021] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.021] lstrcmpiW (lpString1="UpdateSessionOrchestration.024.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.021] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.021] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0098.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.022] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.022] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0098.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0098.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.022] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.022] GetTickCount () returned 0x1159b13 [0098.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6f8 [0098.022] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f8 | out: hHeap=0x2680000) returned 1 [0098.022] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.022] SetLastError (dwErrCode=0x0) [0098.022] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.023] GetLastError () returned 0x0 [0098.023] GetLastError () returned 0x0 [0098.023] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.023] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.023] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.023] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x356a9167, dwHighDateTime=0x1d5f971)) [0098.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.023] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.023] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.024] GetProcessHeap () returned 0xbc0000 [0098.024] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0098.024] GetSystemDefaultLangID () returned 0xbd0409 [0098.024] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.024] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0098.025] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.025] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0098.025] GetProcessHeap () returned 0xbc0000 [0098.025] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.025] CloseHandle (hObject=0x270) returned 1 [0098.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0098.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0098.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.026] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.026] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.026] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.024.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.024.etl.nefilim")) returned 1 [0098.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.027] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xfd9caf15, ftLastAccessTime.dwHighDateTime=0x1d336df, ftLastWriteTime.dwLowDateTime=0xfd9caf15, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x1000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.025.etl", cAlternateFileName="UP4198~1.ETL")) returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2=".") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="..") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="...") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="windows") returned -1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="rsa") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="NTDETECT.COM") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="ntldr") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="MSDOS.SYS") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="IO.SYS") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="boot.ini") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="ntuser.dat") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="desktop.ini") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="CONFIG.SYS") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="RECYCLER") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="bootmgr") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="programdata") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="appdata") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="program files") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="program files (x86)") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="microsoft") returned 1 [0098.027] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="sophos") returned 1 [0098.027] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.027] PathFindExtensionW (pszPath="UpdateSessionOrchestration.025.etl") returned=".etl" [0098.027] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.028] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.028] lstrcmpiW (lpString1="UpdateSessionOrchestration.025.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.028] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.028] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=4096) returned 1 [0098.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.028] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.028] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0098.028] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.029] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.030] GetTickCount () returned 0x1159b23 [0098.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0098.030] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0098.030] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.030] SetLastError (dwErrCode=0x0) [0098.030] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.031] GetLastError () returned 0x0 [0098.031] GetLastError () returned 0x0 [0098.031] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.031] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.031] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.031] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x356cf3da, dwHighDateTime=0x1d5f971)) [0098.031] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.031] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.031] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.031] GetProcessHeap () returned 0xbc0000 [0098.031] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1000) returned 0xbf2638 [0098.032] GetSystemDefaultLangID () returned 0xbd0409 [0098.032] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.032] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1000, lpOverlapped=0x0) returned 1 [0098.033] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.033] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1000, lpOverlapped=0x0) returned 1 [0098.033] GetProcessHeap () returned 0xbc0000 [0098.033] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.033] CloseHandle (hObject=0x270) returned 1 [0098.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0098.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.034] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.034] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.034] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.025.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.025.etl.nefilim")) returned 1 [0098.035] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.035] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.035] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xda210f79, ftLastAccessTime.dwHighDateTime=0x1d336d6, ftLastWriteTime.dwLowDateTime=0xb10a27a8, ftLastWriteTime.dwHighDateTime=0x1d336df, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.026.etl", cAlternateFileName="UP96CC~1.ETL")) returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2=".") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="..") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="...") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="windows") returned -1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="rsa") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="NTDETECT.COM") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="ntldr") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="MSDOS.SYS") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="IO.SYS") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="boot.ini") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="ntuser.dat") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="desktop.ini") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="CONFIG.SYS") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="RECYCLER") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="bootmgr") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="programdata") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="appdata") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="program files") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="program files (x86)") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="microsoft") returned 1 [0098.035] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="sophos") returned 1 [0098.035] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.035] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.035] PathFindExtensionW (pszPath="UpdateSessionOrchestration.026.etl") returned=".etl" [0098.035] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.036] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.036] lstrcmpiW (lpString1="UpdateSessionOrchestration.026.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.036] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.036] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=20480) returned 1 [0098.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0098.036] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.036] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0098.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0098.036] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.036] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.038] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.039] GetTickCount () returned 0x1159b23 [0098.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0098.039] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0098.039] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.039] SetLastError (dwErrCode=0x0) [0098.039] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.040] GetLastError () returned 0x0 [0098.040] GetLastError () returned 0x0 [0098.040] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.040] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.040] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.040] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x356cf3da, dwHighDateTime=0x1d5f971)) [0098.040] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.040] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.040] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.040] GetProcessHeap () returned 0xbc0000 [0098.040] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5000) returned 0xbf2638 [0098.040] GetSystemDefaultLangID () returned 0xbd0409 [0098.040] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.040] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x5000, lpOverlapped=0x0) returned 1 [0098.088] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.088] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x5000, lpOverlapped=0x0) returned 1 [0098.089] GetProcessHeap () returned 0xbc0000 [0098.089] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.089] CloseHandle (hObject=0x270) returned 1 [0098.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0098.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0098.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.090] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.026.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.026.etl.nefilim")) returned 1 [0098.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.091] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xe0798fd2, ftLastAccessTime.dwHighDateTime=0x1d327e8, ftLastWriteTime.dwLowDateTime=0x79d33ce, ftLastWriteTime.dwHighDateTime=0x1d327e9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.027.etl", cAlternateFileName="UP7B54~1.ETL")) returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2=".") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="..") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="...") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="windows") returned -1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="rsa") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="NTDETECT.COM") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="ntldr") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="MSDOS.SYS") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="IO.SYS") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="boot.ini") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="ntuser.dat") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="desktop.ini") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="CONFIG.SYS") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="RECYCLER") returned 1 [0098.091] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="bootmgr") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="programdata") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="appdata") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="program files") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="program files (x86)") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="microsoft") returned 1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="sophos") returned 1 [0098.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.092] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.092] PathFindExtensionW (pszPath="UpdateSessionOrchestration.027.etl") returned=".etl" [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.092] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.092] lstrcmpiW (lpString1="UpdateSessionOrchestration.027.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.093] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.093] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.093] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.093] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0098.093] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.093] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.093] GetTickCount () returned 0x1159b62 [0098.094] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0098.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0098.094] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.094] SetLastError (dwErrCode=0x0) [0098.094] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.095] GetLastError () returned 0x0 [0098.095] GetLastError () returned 0x0 [0098.095] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.095] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.095] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.095] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35767dc6, dwHighDateTime=0x1d5f971)) [0098.095] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.095] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.095] GetProcessHeap () returned 0xbc0000 [0098.095] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.095] GetSystemDefaultLangID () returned 0xbd0409 [0098.095] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.095] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.097] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.097] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.097] GetProcessHeap () returned 0xbc0000 [0098.097] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.097] CloseHandle (hObject=0x270) returned 1 [0098.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0098.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.098] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.027.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.027.etl.nefilim")) returned 1 [0098.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.099] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xd7a24386, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0x56762f51, ftLastWriteTime.dwHighDateTime=0x1d327d1, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.028.etl", cAlternateFileName="UPC098~1.ETL")) returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2=".") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="..") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="...") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="windows") returned -1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="rsa") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="NTDETECT.COM") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="ntldr") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="MSDOS.SYS") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="IO.SYS") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="boot.ini") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="ntuser.dat") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="desktop.ini") returned 1 [0098.099] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="CONFIG.SYS") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="RECYCLER") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="bootmgr") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="programdata") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="appdata") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="program files") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="program files (x86)") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="microsoft") returned 1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="sophos") returned 1 [0098.100] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.100] PathFindExtensionW (pszPath="UpdateSessionOrchestration.028.etl") returned=".etl" [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.100] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.100] lstrcmpiW (lpString1="UpdateSessionOrchestration.028.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.100] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.100] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.101] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=16384) returned 1 [0098.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.101] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.101] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0098.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.101] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.101] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.102] GetTickCount () returned 0x1159b62 [0098.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0098.102] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0098.102] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.102] SetLastError (dwErrCode=0x0) [0098.102] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.103] GetLastError () returned 0x0 [0098.103] GetLastError () returned 0x0 [0098.103] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.103] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.103] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.103] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x35767dc6, dwHighDateTime=0x1d5f971)) [0098.103] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.103] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.103] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.104] GetProcessHeap () returned 0xbc0000 [0098.104] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4000) returned 0xbf2638 [0098.104] GetSystemDefaultLangID () returned 0xbd0409 [0098.104] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.104] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4000, lpOverlapped=0x0) returned 1 [0098.106] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.106] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4000, lpOverlapped=0x0) returned 1 [0098.106] GetProcessHeap () returned 0xbc0000 [0098.106] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.107] CloseHandle (hObject=0x270) returned 1 [0098.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0098.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.108] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.108] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.028.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.028.etl.nefilim")) returned 1 [0098.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.109] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x1fc4717b, ftLastAccessTime.dwHighDateTime=0x1d327c0, ftLastWriteTime.dwLowDateTime=0x46bc7f04, ftLastWriteTime.dwHighDateTime=0x1d327c0, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.029.etl", cAlternateFileName="UP16CC~1.ETL")) returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2=".") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="..") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="...") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="windows") returned -1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="rsa") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="NTDETECT.COM") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="ntldr") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="MSDOS.SYS") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="IO.SYS") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="boot.ini") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="ntuser.dat") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="desktop.ini") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="CONFIG.SYS") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="RECYCLER") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="bootmgr") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="programdata") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="appdata") returned 1 [0098.109] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="program files") returned 1 [0098.110] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="program files (x86)") returned 1 [0098.110] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="microsoft") returned 1 [0098.110] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="sophos") returned 1 [0098.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.110] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.110] PathFindExtensionW (pszPath="UpdateSessionOrchestration.029.etl") returned=".etl" [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.110] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.110] lstrcmpiW (lpString1="UpdateSessionOrchestration.029.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.110] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.110] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.110] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.111] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0098.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.111] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.112] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.114] GetTickCount () returned 0x1159b71 [0098.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0098.114] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0098.114] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.114] SetLastError (dwErrCode=0x0) [0098.114] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.115] GetLastError () returned 0x0 [0098.115] GetLastError () returned 0x0 [0098.115] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.115] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.115] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.115] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3578ed10, dwHighDateTime=0x1d5f971)) [0098.115] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.115] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.115] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.115] GetProcessHeap () returned 0xbc0000 [0098.115] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.115] GetSystemDefaultLangID () returned 0xbd0409 [0098.115] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.115] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.116] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.116] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.116] GetProcessHeap () returned 0xbc0000 [0098.116] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.116] CloseHandle (hObject=0x270) returned 1 [0098.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0098.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.117] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.029.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.029.etl.nefilim")) returned 1 [0098.118] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.118] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.118] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x22cb9437, ftLastAccessTime.dwHighDateTime=0x1d327bf, ftLastWriteTime.dwLowDateTime=0x911dff9b, ftLastWriteTime.dwHighDateTime=0x1d327bf, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.030.etl", cAlternateFileName="UPDA92~1.ETL")) returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2=".") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="..") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="...") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="windows") returned -1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="rsa") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="NTDETECT.COM") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="ntldr") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="MSDOS.SYS") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="IO.SYS") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="boot.ini") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="ntuser.dat") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="desktop.ini") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="CONFIG.SYS") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="RECYCLER") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="bootmgr") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="programdata") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="appdata") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="program files") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="program files (x86)") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="microsoft") returned 1 [0098.118] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="sophos") returned 1 [0098.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.118] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.118] PathFindExtensionW (pszPath="UpdateSessionOrchestration.030.etl") returned=".etl" [0098.118] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.118] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.119] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.119] lstrcmpiW (lpString1="UpdateSessionOrchestration.030.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.119] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.119] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0098.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.119] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.119] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0098.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.119] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.120] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.120] GetTickCount () returned 0x1159b71 [0098.120] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0098.120] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0098.120] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.120] SetLastError (dwErrCode=0x0) [0098.120] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.121] GetLastError () returned 0x0 [0098.121] GetLastError () returned 0x0 [0098.121] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.121] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.121] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.121] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3578ed10, dwHighDateTime=0x1d5f971)) [0098.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.121] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.121] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.121] GetProcessHeap () returned 0xbc0000 [0098.121] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0098.121] GetSystemDefaultLangID () returned 0xbd0409 [0098.121] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.121] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0098.157] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.157] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0098.157] GetProcessHeap () returned 0xbc0000 [0098.158] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.158] CloseHandle (hObject=0x270) returned 1 [0098.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0098.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.159] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.030.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.030.etl.nefilim")) returned 1 [0098.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.160] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x8f4581c2, ftLastAccessTime.dwHighDateTime=0x1d327b9, ftLastWriteTime.dwLowDateTime=0xb62eafb0, ftLastWriteTime.dwHighDateTime=0x1d327b9, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.031.etl", cAlternateFileName="UPBF2A~1.ETL")) returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2=".") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="..") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="...") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="windows") returned -1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="rsa") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="NTDETECT.COM") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="ntldr") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="MSDOS.SYS") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="IO.SYS") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="boot.ini") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="ntuser.dat") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="desktop.ini") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="CONFIG.SYS") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="RECYCLER") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="bootmgr") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="programdata") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="appdata") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="program files") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="program files (x86)") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="microsoft") returned 1 [0098.160] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="sophos") returned 1 [0098.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.161] PathFindExtensionW (pszPath="UpdateSessionOrchestration.031.etl") returned=".etl" [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.161] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.161] lstrcmpiW (lpString1="UpdateSessionOrchestration.031.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.161] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.161] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.161] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.161] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0098.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.162] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.162] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.163] GetTickCount () returned 0x1159ba0 [0098.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0098.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0098.163] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.163] SetLastError (dwErrCode=0x0) [0098.163] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.164] GetLastError () returned 0x0 [0098.164] GetLastError () returned 0x0 [0098.164] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.164] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.164] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.164] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358005fd, dwHighDateTime=0x1d5f971)) [0098.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.164] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.164] GetProcessHeap () returned 0xbc0000 [0098.164] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.165] GetSystemDefaultLangID () returned 0xbd0409 [0098.165] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.165] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.166] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.166] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.166] GetProcessHeap () returned 0xbc0000 [0098.166] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.166] CloseHandle (hObject=0x270) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.168] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.168] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.031.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.031.etl.nefilim")) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.168] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x7f83b96b, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x82808de1, ftLastWriteTime.dwHighDateTime=0x1d327b7, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.032.etl", cAlternateFileName="UP750B~1.ETL")) returned 1 [0098.168] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2=".") returned 1 [0098.168] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="..") returned 1 [0098.168] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="...") returned 1 [0098.168] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="windows") returned -1 [0098.168] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="rsa") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="NTDETECT.COM") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="ntldr") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="MSDOS.SYS") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="IO.SYS") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="boot.ini") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="ntuser.dat") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="desktop.ini") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="CONFIG.SYS") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="RECYCLER") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="bootmgr") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="programdata") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="appdata") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="program files") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="program files (x86)") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="microsoft") returned 1 [0098.169] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="sophos") returned 1 [0098.169] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.169] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.169] PathFindExtensionW (pszPath="UpdateSessionOrchestration.032.etl") returned=".etl" [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.169] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.170] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.170] lstrcmpiW (lpString1="UpdateSessionOrchestration.032.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.170] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.170] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.170] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.170] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.170] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.171] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.173] GetTickCount () returned 0x1159bb0 [0098.173] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0098.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0098.173] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.173] SetLastError (dwErrCode=0x0) [0098.173] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.174] GetLastError () returned 0x0 [0098.174] GetLastError () returned 0x0 [0098.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.174] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.174] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358267f9, dwHighDateTime=0x1d5f971)) [0098.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.174] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.174] GetProcessHeap () returned 0xbc0000 [0098.174] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.174] GetSystemDefaultLangID () returned 0xbd0409 [0098.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.174] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.175] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.175] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.175] GetProcessHeap () returned 0xbc0000 [0098.175] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.175] CloseHandle (hObject=0x270) returned 1 [0098.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.176] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.032.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.032.etl.nefilim")) returned 1 [0098.177] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.177] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.177] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcae2810e, ftLastAccessTime.dwHighDateTime=0x1d327b5, ftLastWriteTime.dwLowDateTime=0xf21e09d1, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.033.etl", cAlternateFileName="UP6487~1.ETL")) returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2=".") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="..") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="...") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="windows") returned -1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="rsa") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="NTDETECT.COM") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="ntldr") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="MSDOS.SYS") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="IO.SYS") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="boot.ini") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="ntuser.dat") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="desktop.ini") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="CONFIG.SYS") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="RECYCLER") returned 1 [0098.177] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="bootmgr") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="programdata") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="appdata") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="program files") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="program files (x86)") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="microsoft") returned 1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="sophos") returned 1 [0098.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.178] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.178] PathFindExtensionW (pszPath="UpdateSessionOrchestration.033.etl") returned=".etl" [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.178] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.178] lstrcmpiW (lpString1="UpdateSessionOrchestration.033.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.178] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.179] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0098.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.179] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0098.179] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0098.179] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.179] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.179] GetTickCount () returned 0x1159bb0 [0098.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0098.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0098.179] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.179] SetLastError (dwErrCode=0x0) [0098.179] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.180] GetLastError () returned 0x0 [0098.180] GetLastError () returned 0x0 [0098.180] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.180] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.180] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.181] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358267f9, dwHighDateTime=0x1d5f971)) [0098.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.181] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.181] GetProcessHeap () returned 0xbc0000 [0098.181] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.181] GetSystemDefaultLangID () returned 0xbd0409 [0098.181] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.181] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.182] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.182] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.182] GetProcessHeap () returned 0xbc0000 [0098.182] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.182] CloseHandle (hObject=0x270) returned 1 [0098.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0098.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0098.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.183] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.033.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.033.etl.nefilim")) returned 1 [0098.184] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.184] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.184] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xcd491119, ftLastAccessTime.dwHighDateTime=0x1d327b4, ftLastWriteTime.dwLowDateTime=0x2e5f9ec7, ftLastWriteTime.dwHighDateTime=0x1d327b5, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.034.etl", cAlternateFileName="UPDATE~4.ETL")) returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2=".") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="..") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="...") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="windows") returned -1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="rsa") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="NTDETECT.COM") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="ntldr") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="MSDOS.SYS") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="IO.SYS") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="boot.ini") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="ntuser.dat") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="desktop.ini") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="CONFIG.SYS") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="RECYCLER") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="bootmgr") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="programdata") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="appdata") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="program files") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="program files (x86)") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="microsoft") returned 1 [0098.184] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="sophos") returned 1 [0098.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.184] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.184] PathFindExtensionW (pszPath="UpdateSessionOrchestration.034.etl") returned=".etl" [0098.184] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.184] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.184] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.184] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.184] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.185] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.185] lstrcmpiW (lpString1="UpdateSessionOrchestration.034.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.185] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.185] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=16384) returned 1 [0098.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.185] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.185] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0098.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.187] GetTickCount () returned 0x1159bbf [0098.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0098.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0098.187] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.187] SetLastError (dwErrCode=0x0) [0098.187] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.188] GetLastError () returned 0x0 [0098.188] GetLastError () returned 0x0 [0098.188] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.188] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.188] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.188] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3584cb74, dwHighDateTime=0x1d5f971)) [0098.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.188] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.188] GetProcessHeap () returned 0xbc0000 [0098.188] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4000) returned 0xbf2638 [0098.189] GetSystemDefaultLangID () returned 0xbd0409 [0098.189] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.189] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4000, lpOverlapped=0x0) returned 1 [0098.191] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.191] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4000, lpOverlapped=0x0) returned 1 [0098.191] GetProcessHeap () returned 0xbc0000 [0098.191] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.192] CloseHandle (hObject=0x270) returned 1 [0098.197] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0098.197] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.198] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.198] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.034.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.034.etl.nefilim")) returned 1 [0098.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.198] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xb30910b4, ftLastAccessTime.dwHighDateTime=0x1d3278b, ftLastWriteTime.dwLowDateTime=0xe1a1828d, ftLastWriteTime.dwHighDateTime=0x1d3278b, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.035.etl", cAlternateFileName="UPDATE~3.ETL")) returned 1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2=".") returned 1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="..") returned 1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="...") returned 1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="windows") returned -1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.198] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="rsa") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="NTDETECT.COM") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="ntldr") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="MSDOS.SYS") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="IO.SYS") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="boot.ini") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="ntuser.dat") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="desktop.ini") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="CONFIG.SYS") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="RECYCLER") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="bootmgr") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="programdata") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="appdata") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="program files") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="program files (x86)") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="microsoft") returned 1 [0098.199] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="sophos") returned 1 [0098.199] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.199] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.199] PathFindExtensionW (pszPath="UpdateSessionOrchestration.035.etl") returned=".etl" [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.199] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.200] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.200] lstrcmpiW (lpString1="UpdateSessionOrchestration.035.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.200] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.200] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=16384) returned 1 [0098.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.200] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.200] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0098.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0098.200] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.236] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.237] GetTickCount () returned 0x1159bee [0098.237] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0098.237] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0098.237] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.237] SetLastError (dwErrCode=0x0) [0098.237] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.238] GetLastError () returned 0x0 [0098.238] GetLastError () returned 0x0 [0098.238] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.238] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.238] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.238] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358bf28b, dwHighDateTime=0x1d5f971)) [0098.238] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.239] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.239] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.239] GetProcessHeap () returned 0xbc0000 [0098.239] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4000) returned 0xbf2638 [0098.239] GetSystemDefaultLangID () returned 0xbd0409 [0098.239] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.239] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4000, lpOverlapped=0x0) returned 1 [0098.240] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.241] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4000, lpOverlapped=0x0) returned 1 [0098.241] GetProcessHeap () returned 0xbc0000 [0098.241] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.241] CloseHandle (hObject=0x270) returned 1 [0098.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0098.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0098.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.242] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.035.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.035.etl.nefilim")) returned 1 [0098.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.243] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xbda7099b, ftLastAccessTime.dwHighDateTime=0x1d32746, ftLastWriteTime.dwLowDateTime=0xe19a12b7, ftLastWriteTime.dwHighDateTime=0x1d32746, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.036.etl", cAlternateFileName="UPDATE~2.ETL")) returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2=".") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="..") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="...") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="windows") returned -1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="rsa") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="NTDETECT.COM") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="ntldr") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="MSDOS.SYS") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="IO.SYS") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="boot.ini") returned 1 [0098.243] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="ntuser.dat") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="desktop.ini") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="CONFIG.SYS") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="RECYCLER") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="bootmgr") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="programdata") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="appdata") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="program files") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="program files (x86)") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="microsoft") returned 1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="sophos") returned 1 [0098.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.244] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.244] PathFindExtensionW (pszPath="UpdateSessionOrchestration.036.etl") returned=".etl" [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.244] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.244] lstrcmpiW (lpString1="UpdateSessionOrchestration.036.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.244] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.245] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0098.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.245] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0098.245] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0098.245] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.245] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.245] GetTickCount () returned 0x1159bee [0098.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0098.245] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0098.245] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.245] SetLastError (dwErrCode=0x0) [0098.246] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.246] GetLastError () returned 0x0 [0098.246] GetLastError () returned 0x0 [0098.246] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.247] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.247] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.247] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358bf28b, dwHighDateTime=0x1d5f971)) [0098.247] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.247] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.247] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.247] GetProcessHeap () returned 0xbc0000 [0098.247] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.247] GetSystemDefaultLangID () returned 0xbd0409 [0098.247] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.247] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.248] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.248] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.248] GetProcessHeap () returned 0xbc0000 [0098.248] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.249] CloseHandle (hObject=0x270) returned 1 [0098.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0098.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0098.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.249] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.249] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.036.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.036.etl.nefilim")) returned 1 [0098.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.250] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.250] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa972a1, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0xa972a1, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x266bdfb9, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateSessionOrchestration.037.etl", cAlternateFileName="UPDATE~1.ETL")) returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2=".") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="..") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="...") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="windows") returned -1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="rsa") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="NTDETECT.COM") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="ntldr") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="MSDOS.SYS") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="IO.SYS") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="boot.ini") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="ntuser.dat") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="desktop.ini") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="CONFIG.SYS") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="RECYCLER") returned 1 [0098.250] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="bootmgr") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="programdata") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="appdata") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="program files") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="program files (x86)") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="microsoft") returned 1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="sophos") returned 1 [0098.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0098.251] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.251] PathFindExtensionW (pszPath="UpdateSessionOrchestration.037.etl") returned=".etl" [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.251] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.251] lstrcmpiW (lpString1="UpdateSessionOrchestration.037.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.251] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0098.251] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.252] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.252] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.252] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.252] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0098.252] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.252] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.253] GetTickCount () returned 0x1159bfe [0098.253] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0098.253] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0098.253] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.253] SetLastError (dwErrCode=0x0) [0098.253] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.254] GetLastError () returned 0x0 [0098.254] GetLastError () returned 0x0 [0098.254] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.254] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.254] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.254] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358e52ae, dwHighDateTime=0x1d5f971)) [0098.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e380 [0098.254] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0098.254] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.254] GetProcessHeap () returned 0xbc0000 [0098.254] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.255] GetSystemDefaultLangID () returned 0xbd0409 [0098.255] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.255] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.256] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.256] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.256] GetProcessHeap () returned 0xbc0000 [0098.256] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.256] CloseHandle (hObject=0x270) returned 1 [0098.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0098.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0098.257] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateSessionOrchestration.037.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updatesessionorchestration.037.etl.nefilim")) returned 1 [0098.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0098.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.258] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x8243765a, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x889a9e61, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.001.etl", cAlternateFileName="UP654C~1.ETL")) returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2=".") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="..") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="...") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="windows") returned -1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="rsa") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="NTDETECT.COM") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="ntldr") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="MSDOS.SYS") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="IO.SYS") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="boot.ini") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="ntuser.dat") returned 1 [0098.258] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="desktop.ini") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="CONFIG.SYS") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="RECYCLER") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="bootmgr") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="programdata") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="appdata") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="program files") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="program files (x86)") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="microsoft") returned 1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="sophos") returned 1 [0098.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0098.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.259] PathFindExtensionW (pszPath="UpdateUx.001.etl") returned=".etl" [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.259] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.259] lstrcmpiW (lpString1="UpdateUx.001.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0098.259] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.260] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8192) returned 1 [0098.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.260] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.260] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0098.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0098.260] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.260] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.260] GetTickCount () returned 0x1159bfe [0098.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0098.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0098.260] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.261] SetLastError (dwErrCode=0x0) [0098.261] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.261] GetLastError () returned 0x0 [0098.261] GetLastError () returned 0x0 [0098.261] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.261] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.262] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.262] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x358e52ae, dwHighDateTime=0x1d5f971)) [0098.262] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0098.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.262] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.262] GetProcessHeap () returned 0xbc0000 [0098.262] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2000) returned 0xbf2638 [0098.262] GetSystemDefaultLangID () returned 0xbd0409 [0098.262] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.262] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2000, lpOverlapped=0x0) returned 1 [0098.263] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.263] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2000, lpOverlapped=0x0) returned 1 [0098.263] GetProcessHeap () returned 0xbc0000 [0098.263] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.263] CloseHandle (hObject=0x270) returned 1 [0098.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0098.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0098.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0098.264] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.001.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.001.etl.nefilim")) returned 1 [0098.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0098.265] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2=".") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="..") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="...") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="windows") returned -1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="$RECYCLE.BIN") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="rsa") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="NTDETECT.COM") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="ntldr") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="MSDOS.SYS") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="IO.SYS") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="boot.ini") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="AUTOEXEC.BAT") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="ntuser.dat") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="desktop.ini") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="CONFIG.SYS") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="RECYCLER") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="BOOTSECT.BAK") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="bootmgr") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="programdata") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="appdata") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="program files") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="program files (x86)") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="microsoft") returned 1 [0098.265] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="sophos") returned 1 [0098.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0098.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.266] PathFindExtensionW (pszPath="UpdateUx.002.etl") returned=".etl" [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".exe") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".log") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".cab") returned 1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".cmd") returned 1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".com") returned 1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".cpl") returned 1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".ini") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".dll") returned 1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".url") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".ttf") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".mp3") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".pif") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".mp4") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".NEFILIM") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".msi") returned -1 [0098.266] lstrcmpiW (lpString1=".etl", lpString2=".lnk") returned -1 [0098.266] lstrcmpiW (lpString1="UpdateUx.002.etl", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0098.266] CreateFileW (lpFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0098.267] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12288) returned 1 [0098.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.268] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.268] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0098.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.268] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0098.268] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0098.268] GetTickCount () returned 0x1159c0d [0098.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0098.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0098.268] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.268] SetLastError (dwErrCode=0x0) [0098.268] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.269] GetLastError () returned 0x0 [0098.269] GetLastError () returned 0x0 [0098.269] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.269] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0098.269] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3590b8e5, dwHighDateTime=0x1d5f971)) [0098.269] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e800 [0098.269] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.269] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0098.269] GetProcessHeap () returned 0xbc0000 [0098.270] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3000) returned 0xbf2638 [0098.270] GetSystemDefaultLangID () returned 0xbd0409 [0098.270] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.270] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3000, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3000, lpOverlapped=0x0) returned 1 [0098.313] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.313] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3000, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3000, lpOverlapped=0x0) returned 1 [0098.313] GetProcessHeap () returned 0xbc0000 [0098.313] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0098.313] CloseHandle (hObject=0x270) returned 1 [0098.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0098.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0098.314] MoveFileW (lpExistingFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl"), lpNewFileName="C:\\Users\\All Users\\USOShared\\Logs\\UpdateUx.002.etl.NEFILIM" (normalized: "c:\\users\\all users\\usoshared\\logs\\updateux.002.etl.nefilim")) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.315] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6fa4f40f, ftCreationTime.dwHighDateTime=0x1d336de, ftLastAccessTime.dwLowDateTime=0x6fa4f40f, ftLastAccessTime.dwHighDateTime=0x1d336de, ftLastWriteTime.dwLowDateTime=0x7e0bea63, ftLastWriteTime.dwHighDateTime=0x1d336de, nFileSizeHigh=0x0, nFileSizeLow=0x3000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UpdateUx.002.etl", cAlternateFileName="UP1018~1.ETL")) returned 0 [0098.315] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be40 | out: hHeap=0x2680000) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.315] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xa4ade3, ftCreationTime.dwHighDateTime=0x1d32744, ftLastAccessTime.dwLowDateTime=0x21006ce2, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x21006ce2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Logs", cAlternateFileName="")) returned 0 [0098.315] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bde8 | out: hHeap=0x2680000) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680548 | out: hHeap=0x2680000) returned 1 [0098.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0098.315] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2=".") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="..") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="...") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="windows") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="$RECYCLE.BIN") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="rsa") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="NTDETECT.COM") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="ntldr") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="MSDOS.SYS") returned 1 [0098.315] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="IO.SYS") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="boot.ini") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="AUTOEXEC.BAT") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="ntuser.dat") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="desktop.ini") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="CONFIG.SYS") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="RECYCLER") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="BOOTSECT.BAK") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="bootmgr") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="programdata") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="appdata") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="program files") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="program files (x86)") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="microsoft") returned 1 [0098.316] lstrcmpiW (lpString1="WindowsHolographicDevices", lpString2="sophos") returned 1 [0098.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680500 [0098.316] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0098.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0098.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0098.316] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\WindowsHolographicDevices\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2ac8 [0098.317] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.317] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0098.317] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.317] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.317] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2=".") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="..") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="...") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="windows") returned -1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="$RECYCLE.BIN") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="rsa") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="NTDETECT.COM") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="ntldr") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="MSDOS.SYS") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="IO.SYS") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="boot.ini") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="AUTOEXEC.BAT") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="ntuser.dat") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="desktop.ini") returned 1 [0098.317] lstrcmpiW (lpString1="SpatialStore", lpString2="CONFIG.SYS") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="RECYCLER") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="BOOTSECT.BAK") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="bootmgr") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="programdata") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="appdata") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="program files") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="program files (x86)") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="microsoft") returned 1 [0098.318] lstrcmpiW (lpString1="SpatialStore", lpString2="sophos") returned 1 [0098.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0098.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0098.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e888 [0098.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e910 [0098.318] FindFirstFileW (in: lpFileName="C:\\Users\\All Users\\WindowsHolographicDevices\\SpatialStore\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0098.318] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.318] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.318] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.318] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.318] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0098.318] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0098.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e910 | out: hHeap=0x2680000) returned 1 [0098.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0098.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0098.318] FindNextFileW (in: hFindFile=0xbe2ac8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6dc3522, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c147a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="SpatialStore", cAlternateFileName="SPATIA~1")) returned 0 [0098.319] FindClose (in: hFindFile=0xbe2ac8 | out: hFindFile=0xbe2ac8) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.319] FindNextFileW (in: hFindFile=0xbe2a88, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe6d9d2c8, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0xc32c07ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xe6dc3522, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="WindowsHolographicDevices", cAlternateFileName="WINDOW~1")) returned 0 [0098.319] FindClose (in: hFindFile=0xbe2a88 | out: hFindFile=0xbe2a88) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812b0 | out: hHeap=0x2680000) returned 1 [0098.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.319] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa000000c, dwReserved1=0x9, cFileName="Default", cAlternateFileName="")) returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="...") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="windows") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="$RECYCLE.BIN") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="rsa") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="NTDETECT.COM") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="ntldr") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="MSDOS.SYS") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="IO.SYS") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="boot.ini") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="AUTOEXEC.BAT") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="ntuser.dat") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="desktop.ini") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="CONFIG.SYS") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="RECYCLER") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="BOOTSECT.BAK") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="bootmgr") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="programdata") returned -1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="appdata") returned 1 [0098.319] lstrcmpiW (lpString1="Default", lpString2="program files") returned -1 [0098.320] lstrcmpiW (lpString1="Default", lpString2="program files (x86)") returned -1 [0098.320] lstrcmpiW (lpString1="Default", lpString2="microsoft") returned -1 [0098.320] lstrcmpiW (lpString1="Default", lpString2="sophos") returned -1 [0098.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0098.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0098.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0098.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0098.320] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0098.320] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.320] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.321] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.321] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.321] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x17d2dc32, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc3aee4d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0098.321] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0098.321] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0098.321] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0098.322] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0098.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0098.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0098.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0098.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0098.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0098.322] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Application Data\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32743, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨቸɨD")) returned 0xffffffff [0098.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0098.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.322] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0098.322] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="microsoft") returned -1 [0098.323] lstrcmpiW (lpString1="Cookies", lpString2="sophos") returned -1 [0098.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0098.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.323] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Cookies\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32743, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x9000009, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨዐɨ2")) returned 0xffffffff [0098.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.324] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0098.324] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0098.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.324] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0098.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.324] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.324] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Desktop\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0098.325] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.325] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.325] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.325] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.325] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3ef8c08, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0098.325] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0098.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.325] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0098.325] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0098.326] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0098.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.326] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0098.328] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.328] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f654c1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.328] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.328] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.328] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0098.329] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0098.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0098.329] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0098.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0098.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0098.329] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Music\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0x29000029, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x22000022, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨԀɨH")) returned 0xffffffff [0098.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0098.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0098.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.331] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0098.331] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0098.332] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0098.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0098.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0098.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0098.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0098.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0098.332] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Pictures\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x29000029, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨɨN")) returned 0xffffffff [0098.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0098.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0098.332] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0098.332] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0098.333] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0098.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0098.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0098.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0098.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0098.333] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Documents\\My Videos\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xc00000c, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨɨJ")) returned 0xffffffff [0098.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0098.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.333] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x5d42963, ftCreationTime.dwHighDateTime=0x1d32721, ftLastAccessTime.dwLowDateTime=0x5d42963, ftLastAccessTime.dwHighDateTime=0x1d32721, ftLastWriteTime.dwLowDateTime=0x5d42963, ftLastWriteTime.dwHighDateTime=0x1d32721, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0098.333] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0098.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0098.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.334] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0098.334] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0098.335] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0098.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.335] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Downloads\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0098.335] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.335] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.335] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.335] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.335] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3f66782, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0098.335] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0098.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.335] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0098.335] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0098.335] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="microsoft") returned -1 [0098.336] lstrcmpiW (lpString1="Favorites", lpString2="sophos") returned -1 [0098.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.336] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Favorites\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0098.337] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.337] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.337] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.337] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.337] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb8e09, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0098.337] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0098.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.337] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0098.337] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0098.337] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0098.338] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0098.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0098.338] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0098.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0098.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.338] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Links\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0098.338] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.338] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0098.338] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.338] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.338] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0098.338] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0098.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0098.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0098.339] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="microsoft") returned -1 [0098.339] lstrcmpiW (lpString1="Local Settings", lpString2="sophos") returned -1 [0098.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x5e) returned 0x2681278 [0098.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0098.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0098.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0098.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0098.339] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Local Settings\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0xc3fb994f, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨቸɨ@")) returned 0xffffffff [0098.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0098.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.340] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0098.340] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0098.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0098.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0098.341] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e500 [0098.341] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.341] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Music\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0098.341] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0098.341] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0098.342] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0098.342] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0098.342] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 0 [0098.342] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0098.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e500 | out: hHeap=0x2680000) returned 1 [0098.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0098.342] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0098.342] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0098.343] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0098.343] lstrcmpiW (lpString1="My Documents", lpString2="microsoft") returned 1 [0098.343] lstrcmpiW (lpString1="My Documents", lpString2="sophos") returned -1 [0098.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0098.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.343] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0098.343] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\My Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨᒸɨ<")) returned 0xffffffff [0098.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.343] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0098.343] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0098.344] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0098.344] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0098.344] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0098.344] lstrcmpiW (lpString1="NetHood", lpString2="microsoft") returned 1 [0098.344] lstrcmpiW (lpString1="NetHood", lpString2="sophos") returned -1 [0098.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0098.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0098.344] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\NetHood\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0xc3fbaa63, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ2")) returned 0xffffffff [0098.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.344] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c4aac40, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x19fa8eb, ftLastAccessTime.dwHighDateTime=0x1d5d811, ftLastWriteTime.dwLowDateTime=0x19fa8eb, ftLastWriteTime.dwHighDateTime=0x1d5d811, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0098.344] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x6000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2=".") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="..") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="...") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="windows") returned -1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0098.344] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="rsa") returned -1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NTDETECT.COM") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntldr") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="MSDOS.SYS") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="IO.SYS") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="boot.ini") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="ntuser.dat") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="desktop.ini") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="CONFIG.SYS") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="RECYCLER") returned -1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="bootmgr") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="programdata") returned -1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="appdata") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files") returned -1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="program files (x86)") returned -1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="microsoft") returned 1 [0098.345] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="sophos") returned -1 [0098.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0098.345] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.345] PathFindExtensionW (pszPath="NTUSER.DAT.LOG1") returned=".LOG1" [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0098.345] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0098.346] lstrcmpiW (lpString1="NTUSER.DAT.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0098.346] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.346] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=24576) returned 1 [0098.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.346] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.346] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0098.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0098.346] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.347] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.348] GetTickCount () returned 0x1159c5c [0098.348] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0098.348] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0098.348] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.348] SetLastError (dwErrCode=0x0) [0098.348] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.349] GetLastError () returned 0x0 [0098.349] GetLastError () returned 0x0 [0098.349] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.349] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.350] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x6200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.350] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x359ca0d9, dwHighDateTime=0x1d5f971)) [0098.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.350] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.350] GetProcessHeap () returned 0xbc0000 [0098.350] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x6000) returned 0xbf1630 [0098.350] GetSystemDefaultLangID () returned 0xbd0409 [0098.350] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.350] ReadFile (in: hFile=0x23c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x6000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25bee3c*=0x6000, lpOverlapped=0x0) returned 1 [0098.393] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.393] WriteFile (in: hFile=0x23c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x6000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25bee30*=0x6000, lpOverlapped=0x0) returned 1 [0098.393] GetProcessHeap () returned 0xbc0000 [0098.393] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0098.393] CloseHandle (hObject=0x23c) returned 1 [0098.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0098.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0098.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.398] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680510 [0098.398] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1" (normalized: "c:\\users\\default\\ntuser.dat.log1"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG1.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat.log1.nefilim")) returned 1 [0098.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0098.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.399] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x6c6021fd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x6c6021fd, ftLastAccessTime.dwHighDateTime=0x1d29fdc, ftLastWriteTime.dwLowDateTime=0x6c6021fd, ftLastWriteTime.dwHighDateTime=0x1d29fdc, nFileSizeHigh=0x0, nFileSizeLow=0x5000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2=".") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="..") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="...") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="windows") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="rsa") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NTDETECT.COM") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntldr") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="MSDOS.SYS") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="IO.SYS") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="boot.ini") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="ntuser.dat") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="desktop.ini") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="CONFIG.SYS") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="RECYCLER") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="bootmgr") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="programdata") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="appdata") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="program files (x86)") returned -1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="microsoft") returned 1 [0098.399] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="sophos") returned -1 [0098.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0098.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0098.399] PathFindExtensionW (pszPath="NTUSER.DAT.LOG2") returned=".LOG2" [0098.399] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0098.399] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0098.399] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0098.400] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0098.400] lstrcmpiW (lpString1="NTUSER.DAT.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0098.400] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.400] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=20480) returned 1 [0098.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0098.400] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.400] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0098.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.400] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.401] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.403] GetTickCount () returned 0x1159c8a [0098.403] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0098.403] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0098.403] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.403] SetLastError (dwErrCode=0x0) [0098.403] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.404] GetLastError () returned 0x0 [0098.404] GetLastError () returned 0x0 [0098.404] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.404] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.404] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x5200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.404] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35a3ca4d, dwHighDateTime=0x1d5f971)) [0098.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.404] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.404] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.404] GetProcessHeap () returned 0xbc0000 [0098.404] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5000) returned 0xbf1630 [0098.404] GetSystemDefaultLangID () returned 0xbd0409 [0098.404] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.404] ReadFile (in: hFile=0x23c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x5000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25bee3c*=0x5000, lpOverlapped=0x0) returned 1 [0098.406] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.406] WriteFile (in: hFile=0x23c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x5000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25bee30*=0x5000, lpOverlapped=0x0) returned 1 [0098.406] GetProcessHeap () returned 0xbc0000 [0098.406] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0098.407] CloseHandle (hObject=0x23c) returned 1 [0098.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.409] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0098.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681278 [0098.409] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2" (normalized: "c:\\users\\default\\ntuser.dat.log2"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT.LOG2.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat.log2.nefilim")) returned 1 [0098.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0098.410] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7dab84ff, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855f639a, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2=".") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="..") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="...") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="windows") returned -1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="rsa") returned -1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="ntldr") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="IO.SYS") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="boot.ini") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="ntuser.dat") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="desktop.ini") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0098.410] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="RECYCLER") returned -1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="bootmgr") returned 1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="programdata") returned -1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="appdata") returned 1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="program files") returned -1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="program files (x86)") returned -1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="microsoft") returned 1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="sophos") returned -1 [0098.411] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0098.411] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.411] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf") returned=".blf" [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0098.411] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0098.411] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.411] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0098.411] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.412] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=65536) returned 1 [0098.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.412] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.412] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0098.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0098.412] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.412] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.413] GetTickCount () returned 0x1159c9a [0098.413] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0098.413] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0098.413] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.413] SetLastError (dwErrCode=0x0) [0098.413] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.414] GetLastError () returned 0x0 [0098.414] GetLastError () returned 0x0 [0098.414] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.414] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.414] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.414] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35a62d0a, dwHighDateTime=0x1d5f971)) [0098.414] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0098.415] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0098.415] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.415] GetProcessHeap () returned 0xbc0000 [0098.415] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10000) returned 0xbf1630 [0098.415] GetSystemDefaultLangID () returned 0xbd0409 [0098.415] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.416] ReadFile (in: hFile=0x23c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25bee3c*=0x10000, lpOverlapped=0x0) returned 1 [0098.420] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.420] WriteFile (in: hFile=0x23c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25bee30*=0x10000, lpOverlapped=0x0) returned 1 [0098.467] GetProcessHeap () returned 0xbc0000 [0098.467] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0098.467] CloseHandle (hObject=0x23c) returned 1 [0098.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0098.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0098.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.469] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0098.469] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TM.blf.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tm.blf.nefilim")) returned 1 [0098.470] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.470] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.470] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7ddd9675, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0xacbd1187, ftLastAccessTime.dwHighDateTime=0x1d2fa0d, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0098.470] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0098.471] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0098.471] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.471] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0098.471] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0098.471] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0098.471] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.471] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0098.471] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.518] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=524288) returned 1 [0098.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0098.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.518] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0098.518] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0098.518] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.519] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.521] GetTickCount () returned 0x1159d07 [0098.521] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0098.521] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0098.521] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.521] SetLastError (dwErrCode=0x0) [0098.521] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.522] GetLastError () returned 0x0 [0098.522] GetLastError () returned 0x0 [0098.522] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.522] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.522] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35b6dd0e, dwHighDateTime=0x1d5f971)) [0098.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.522] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.523] GetProcessHeap () returned 0xbc0000 [0098.523] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x80000) returned 0x2ce4020 [0098.524] GetSystemDefaultLangID () returned 0xbd0409 [0098.524] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.524] ReadFile (in: hFile=0x23c, lpBuffer=0x2ce4020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0x2ce4020*, lpNumberOfBytesRead=0x25bee3c*=0x80000, lpOverlapped=0x0) returned 1 [0098.556] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.556] WriteFile (in: hFile=0x23c, lpBuffer=0x2ce4020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2ce4020*, lpNumberOfBytesWritten=0x25bee30*=0x80000, lpOverlapped=0x0) returned 1 [0098.557] GetProcessHeap () returned 0xbc0000 [0098.557] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ce4020 | out: hHeap=0xbc0000) returned 1 [0098.560] CloseHandle (hObject=0x23c) returned 1 [0098.681] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.681] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0098.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0098.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.682] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268bd90 [0098.682] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000001.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000001.regtrans-ms.nefilim")) returned 1 [0098.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.682] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.682] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x7de71fdf, ftCreationTime.dwHighDateTime=0x1d2fa07, ftLastAccessTime.dwLowDateTime=0x855d0141, ftLastAccessTime.dwHighDateTime=0x1d2fa07, ftLastWriteTime.dwLowDateTime=0x855d0141, ftLastWriteTime.dwHighDateTime=0x1d2fa07, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0098.683] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0098.683] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0098.683] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.683] PathFindExtensionW (pszPath="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0098.683] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x268e3d0 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0098.683] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0098.684] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0098.684] lstrcmpiW (lpString1="NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0098.684] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.684] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=524288) returned 1 [0098.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.684] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.684] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0098.684] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0098.684] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.706] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.708] GetTickCount () returned 0x1159dc3 [0098.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0098.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0098.708] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.708] SetLastError (dwErrCode=0x0) [0098.708] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.711] GetLastError () returned 0x0 [0098.711] GetLastError () returned 0x0 [0098.711] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.711] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.711] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35d4f239, dwHighDateTime=0x1d5f971)) [0098.711] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.711] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.711] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.711] GetProcessHeap () returned 0xbc0000 [0098.711] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x80000) returned 0x2cef020 [0098.713] GetSystemDefaultLangID () returned 0xbd0409 [0098.713] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.713] ReadFile (in: hFile=0x23c, lpBuffer=0x2cef020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0x2cef020*, lpNumberOfBytesRead=0x25bee3c*=0x80000, lpOverlapped=0x0) returned 1 [0098.798] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.798] WriteFile (in: hFile=0x23c, lpBuffer=0x2cef020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2cef020*, lpNumberOfBytesWritten=0x25bee30*=0x80000, lpOverlapped=0x0) returned 1 [0098.799] GetProcessHeap () returned 0xbc0000 [0098.799] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2cef020 | out: hHeap=0xbc0000) returned 1 [0098.802] CloseHandle (hObject=0x23c) returned 1 [0098.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0098.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0098.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268bd90 [0098.858] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{4e074668-0c1c-11e7-a943-e41d2d718a20}.TMContainer00000000000000000002.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{4e074668-0c1c-11e7-a943-e41d2d718a20}.tmcontainer00000000000000000002.regtrans-ms.nefilim")) returned 1 [0098.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3d0 | out: hHeap=0x2680000) returned 1 [0098.859] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~2.BLF")) returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="...") returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="rsa") returned -1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0098.859] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntldr") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="IO.SYS") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot.ini") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntuser.dat") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="desktop.ini") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="RECYCLER") returned -1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="programdata") returned -1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="appdata") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files") returned -1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files (x86)") returned -1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="microsoft") returned 1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="sophos") returned -1 [0098.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x26804b8 [0098.860] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.860] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned=".blf" [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0098.860] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0098.860] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.861] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e2e8 [0098.861] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.861] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=65536) returned 1 [0098.861] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.861] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.862] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.862] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0098.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0098.862] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.862] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.862] GetTickCount () returned 0x1159e50 [0098.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0098.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0098.862] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.862] SetLastError (dwErrCode=0x0) [0098.862] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.863] GetLastError () returned 0x0 [0098.863] GetLastError () returned 0x0 [0098.863] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.863] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.864] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x10200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.864] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35eb05c8, dwHighDateTime=0x1d5f971)) [0098.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0098.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0098.864] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.864] GetProcessHeap () returned 0xbc0000 [0098.864] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10000) returned 0xbf1630 [0098.864] GetSystemDefaultLangID () returned 0xbd0409 [0098.864] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.864] ReadFile (in: hFile=0x23c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x10000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25bee3c*=0x10000, lpOverlapped=0x0) returned 1 [0098.868] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.868] WriteFile (in: hFile=0x23c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25bee30*=0x10000, lpOverlapped=0x0) returned 1 [0098.868] GetProcessHeap () returned 0xbc0000 [0098.869] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0098.869] CloseHandle (hObject=0x23c) returned 1 [0098.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0098.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0098.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268bd90 [0098.871] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf.nefilim")) returned 1 [0098.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.871] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b6f06dc, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b6f06dc, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~3.REG")) returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0098.871] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0098.872] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0098.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0098.872] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.872] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0098.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x268e3d0 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0098.872] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0098.873] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0098.873] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0098.873] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.873] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=524288) returned 1 [0098.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0098.873] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.873] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0098.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0098.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0098.873] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.873] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.874] GetTickCount () returned 0x1159e5f [0098.874] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0098.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0098.874] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.874] SetLastError (dwErrCode=0x0) [0098.874] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.875] GetLastError () returned 0x0 [0098.875] GetLastError () returned 0x0 [0098.875] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.875] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.875] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.875] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35ed691d, dwHighDateTime=0x1d5f971)) [0098.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0098.875] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0098.875] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.875] GetProcessHeap () returned 0xbc0000 [0098.875] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x80000) returned 0x2cef020 [0098.877] GetSystemDefaultLangID () returned 0xbd0409 [0098.877] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.877] ReadFile (in: hFile=0x23c, lpBuffer=0x2cef020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0x2cef020*, lpNumberOfBytesRead=0x25bee3c*=0x80000, lpOverlapped=0x0) returned 1 [0098.955] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.955] WriteFile (in: hFile=0x23c, lpBuffer=0x2cef020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2cef020*, lpNumberOfBytesWritten=0x25bee30*=0x80000, lpOverlapped=0x0) returned 1 [0098.957] GetProcessHeap () returned 0xbc0000 [0098.957] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2cef020 | out: hHeap=0xbc0000) returned 1 [0098.959] CloseHandle (hObject=0x23c) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0098.960] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268bd90 [0098.960] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms.nefilim")) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0098.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3d0 | out: hHeap=0x2680000) returned 1 [0098.960] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x8b716935, ftCreationTime.dwHighDateTime=0x1d32741, ftLastAccessTime.dwLowDateTime=0x8b716935, ftLastAccessTime.dwHighDateTime=0x1d32741, ftLastWriteTime.dwLowDateTime=0x8b762e4b, ftLastWriteTime.dwHighDateTime=0x1d32741, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~4.REG")) returned 1 [0098.960] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0098.960] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0098.960] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0098.960] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0098.961] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0098.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0098.961] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0098.961] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0098.961] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0098.961] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0098.962] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0098.962] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0098.962] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0098.962] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0098.962] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0098.962] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0098.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0098.962] CreateFileW (lpFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0098.962] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=524288) returned 1 [0098.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0098.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0098.962] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0098.962] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0098.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0098.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0098.962] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0098.962] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0098.964] GetTickCount () returned 0x1159ead [0098.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0098.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0098.964] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.964] SetLastError (dwErrCode=0x0) [0098.964] WriteFile (in: hFile=0x23c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.965] GetLastError () returned 0x0 [0098.965] GetLastError () returned 0x0 [0098.965] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.965] WriteFile (in: hFile=0x23c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0098.965] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x80200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.965] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x35f953fa, dwHighDateTime=0x1d5f971)) [0098.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0098.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0098.965] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0098.965] GetProcessHeap () returned 0xbc0000 [0098.966] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x80000) returned 0x2ce5020 [0098.967] GetSystemDefaultLangID () returned 0xbd0409 [0098.967] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0098.967] ReadFile (in: hFile=0x23c, lpBuffer=0x2ce5020, nNumberOfBytesToRead=0x80000, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0x2ce5020*, lpNumberOfBytesRead=0x25bee3c*=0x80000, lpOverlapped=0x0) returned 1 [0099.049] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.049] WriteFile (in: hFile=0x23c, lpBuffer=0x2ce5020*, nNumberOfBytesToWrite=0x80000, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2ce5020*, lpNumberOfBytesWritten=0x25bee30*=0x80000, lpOverlapped=0x0) returned 1 [0099.050] GetProcessHeap () returned 0xbc0000 [0099.050] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0x2ce5020 | out: hHeap=0xbc0000) returned 1 [0099.053] CloseHandle (hObject=0x23c) returned 1 [0099.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0099.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0099.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0099.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xf0) returned 0x268bd90 [0099.053] MoveFileW (lpExistingFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), lpNewFileName="C:\\Users\\Default\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms.NEFILIM" (normalized: "c:\\users\\default\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms.nefilim")) returned 1 [0099.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0099.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.054] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0099.054] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0099.055] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0099.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.055] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Pictures\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0099.055] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.055] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0099.055] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.055] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.055] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 0 [0099.055] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0099.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.055] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0099.055] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0099.055] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0099.055] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0099.055] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="microsoft") returned 1 [0099.056] lstrcmpiW (lpString1="PrintHood", lpString2="sophos") returned -1 [0099.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.056] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\PrintHood\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2000000, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ6")) returned 0xffffffff [0099.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.056] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0099.056] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0099.056] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0099.056] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0099.056] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="microsoft") returned 1 [0099.057] lstrcmpiW (lpString1="Recent", lpString2="sophos") returned -1 [0099.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0099.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x26812c0 [0099.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0099.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.057] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Recent\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0xc3fbafc3, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨዀɨ0")) returned 0xffffffff [0099.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.057] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0099.057] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="microsoft") returned 1 [0099.058] lstrcmpiW (lpString1="Saved Games", lpString2="sophos") returned -1 [0099.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0099.058] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Saved Games\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0099.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.058] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0099.059] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.059] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.059] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 0 [0099.059] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0099.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.059] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0099.059] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="microsoft") returned 1 [0099.060] lstrcmpiW (lpString1="SendTo", lpString2="sophos") returned -1 [0099.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0099.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x26812c0 [0099.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0099.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.060] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\SendTo\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="ɛ⊺Ċቸɨዀɨ0")) returned 0xffffffff [0099.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.060] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0099.060] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0099.061] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0099.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.061] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Start Menu\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x2680000, nFileSizeLow=0x9000009, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ8")) returned 0xffffffff [0099.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.061] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x785fe036, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0x785fe036, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x785fe036, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0099.061] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0099.062] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0099.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.062] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Templates\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0xc3fbb8a6, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x2680000, nFileSizeLow=0xb00000b, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨᒸɨ6")) returned 0xffffffff [0099.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.062] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0099.062] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0099.063] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0099.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0099.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x2681278 [0099.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0099.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c8 [0099.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.063] FindFirstFileW (in: lpFileName="C:\\Users\\Default\\Videos\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0099.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.063] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0099.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.063] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 0 [0099.063] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0099.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c8 | out: hHeap=0x2680000) returned 1 [0099.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.064] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0099.064] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0099.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0099.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0099.064] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xd7b844b1, ftCreationTime.dwHighDateTime=0x1d2a02f, ftLastAccessTime.dwLowDateTime=0xd7b844b1, ftLastAccessTime.dwHighDateTime=0x1d2a02f, ftLastWriteTime.dwLowDateTime=0xd7b844b1, ftLastWriteTime.dwHighDateTime=0x1d2a02f, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Default User", cAlternateFileName="DEFAUL~1")) returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2=".") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="..") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="...") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="windows") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="$RECYCLE.BIN") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="rsa") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="NTDETECT.COM") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="ntldr") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="MSDOS.SYS") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="IO.SYS") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="boot.ini") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="AUTOEXEC.BAT") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="ntuser.dat") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="desktop.ini") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="CONFIG.SYS") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="RECYCLER") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="BOOTSECT.BAK") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="bootmgr") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="programdata") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="appdata") returned 1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="program files") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="program files (x86)") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="microsoft") returned -1 [0099.064] lstrcmpiW (lpString1="Default User", lpString2="sophos") returned -1 [0099.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0099.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0099.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0099.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0099.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.065] FindFirstFileW (in: lpFileName="C:\\Users\\Default User\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc3fbc16a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xd9eaaa, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="ɛ⊺Ċɨɨ,")) returned 0xffffffff [0099.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0099.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0099.065] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Default.migrated", cAlternateFileName="DEFAUL~1.MIG")) returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2=".") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="..") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="...") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="windows") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="$RECYCLE.BIN") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="rsa") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="NTDETECT.COM") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="ntldr") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="MSDOS.SYS") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="IO.SYS") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="boot.ini") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="AUTOEXEC.BAT") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="ntuser.dat") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="desktop.ini") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="CONFIG.SYS") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="RECYCLER") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="BOOTSECT.BAK") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="bootmgr") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="programdata") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="appdata") returned 1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="program files") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="program files (x86)") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="microsoft") returned -1 [0099.065] lstrcmpiW (lpString1="Default.migrated", lpString2="sophos") returned -1 [0099.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0099.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.065] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe28c8 [0099.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.070] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x31bae0f4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0xc40864ff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0099.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.070] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x7205420a, ftLastAccessTime.dwHighDateTime=0x1d32720, ftLastWriteTime.dwLowDateTime=0x7205420a, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0099.070] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0099.071] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0099.071] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0099.071] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0099.071] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0099.071] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0099.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0099.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0099.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0099.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0099.071] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0099.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.073] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0099.074] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.074] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.074] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99a3d0f, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99a3d0f, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99a3d0f, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0099.074] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0099.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0099.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0099.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0099.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be60 [0099.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0099.074] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Music\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0xfd0000fd, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xfd0000fd, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺Ċ뷸ɨ붐ɨZ")) returned 0xffffffff [0099.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0099.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0099.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0099.075] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0099.075] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0099.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0099.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x8e) returned 0x268e800 [0099.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0099.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0099.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0099.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0099.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e898 [0099.076] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Pictures\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0xea0000ea, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xfd0000fd, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="", cAlternateFileName="ɛ⊺Ċ붐ɨɨ`")) returned 0xffffffff [0099.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0099.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0099.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0099.076] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0099.076] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0099.077] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0099.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0099.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0099.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0099.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be60 [0099.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0099.077] FindFirstFileW (in: lpFileName="C:\\Users\\Default.migrated\\Documents\\My Videos\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xffff74ca, ftCreationTime.dwHighDateTime=0xfd0000fd, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xf00003f3, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0xea0000ea, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0xf00003f3, cFileName="", cAlternateFileName="ɛ⊺Ċ뷸ɨ붐ɨ\\")) returned 0xffffffff [0099.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0099.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0099.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0099.077] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99c9f63, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99c9f63, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99c9f63, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0099.077] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.078] FindNextFileW (in: hFindFile=0xbe28c8, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd9eaaa, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xc4204fb0, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x5636bd87, ftLastWriteTime.dwHighDateTime=0x1d32720, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 0 [0099.078] FindClose (in: hFindFile=0xbe28c8 | out: hFindFile=0xbe28c8) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.078] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1a9bc987, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5f69dfa, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5f69dfa, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0099.078] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0099.078] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="FD1HVy", cAlternateFileName="")) returned 1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2=".") returned 1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="..") returned 1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="...") returned 1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="windows") returned -1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="$RECYCLE.BIN") returned 1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="rsa") returned -1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="NTDETECT.COM") returned -1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="ntldr") returned -1 [0099.078] lstrcmpiW (lpString1="FD1HVy", lpString2="MSDOS.SYS") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="IO.SYS") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="boot.ini") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="AUTOEXEC.BAT") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="ntuser.dat") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="desktop.ini") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="CONFIG.SYS") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="RECYCLER") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="BOOTSECT.BAK") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="bootmgr") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="programdata") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="appdata") returned 1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="program files") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="program files (x86)") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="microsoft") returned -1 [0099.079] lstrcmpiW (lpString1="FD1HVy", lpString2="sophos") returned -1 [0099.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2681278 [0099.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6f8 [0099.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e500 [0099.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0099.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0099.079] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0099.079] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.079] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0099.079] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.079] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.079] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0x210870f2, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x3b5a0677, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x3b5a0677, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AppData", cAlternateFileName="")) returned 1 [0099.079] lstrcmpiW (lpString1="AppData", lpString2=".") returned 1 [0099.079] lstrcmpiW (lpString1="AppData", lpString2="..") returned 1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="...") returned 1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="windows") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="$RECYCLE.BIN") returned 1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="rsa") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="NTDETECT.COM") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="ntldr") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="MSDOS.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="IO.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="boot.ini") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="AUTOEXEC.BAT") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="ntuser.dat") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="desktop.ini") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="CONFIG.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="RECYCLER") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="BOOTSECT.BAK") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="bootmgr") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="programdata") returned -1 [0099.080] lstrcmpiW (lpString1="AppData", lpString2="appdata") returned 0 [0099.080] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2=".") returned 1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="..") returned 1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="...") returned 1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="windows") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="$RECYCLE.BIN") returned 1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="rsa") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="NTDETECT.COM") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="ntldr") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="MSDOS.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="IO.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="boot.ini") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="AUTOEXEC.BAT") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="ntuser.dat") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="desktop.ini") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="CONFIG.SYS") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="RECYCLER") returned -1 [0099.080] lstrcmpiW (lpString1="Application Data", lpString2="BOOTSECT.BAK") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="bootmgr") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="programdata") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="appdata") returned 1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="program files") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="program files (x86)") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="microsoft") returned -1 [0099.081] lstrcmpiW (lpString1="Application Data", lpString2="sophos") returned -1 [0099.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0099.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0099.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0099.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0099.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0099.081] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Application Data\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0x1d32744, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨቸɨB")) returned 0xffffffff [0099.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0099.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.081] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Contacts", cAlternateFileName="")) returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2=".") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="..") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="...") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="windows") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="$RECYCLE.BIN") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="rsa") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="NTDETECT.COM") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="ntldr") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="MSDOS.SYS") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="IO.SYS") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="boot.ini") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="AUTOEXEC.BAT") returned 1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="ntuser.dat") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="desktop.ini") returned -1 [0099.081] lstrcmpiW (lpString1="Contacts", lpString2="CONFIG.SYS") returned 1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="RECYCLER") returned -1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="BOOTSECT.BAK") returned 1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="bootmgr") returned 1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="programdata") returned -1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="appdata") returned 1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="program files") returned -1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="program files (x86)") returned -1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="microsoft") returned -1 [0099.082] lstrcmpiW (lpString1="Contacts", lpString2="sophos") returned -1 [0099.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0099.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.082] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Contacts\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0099.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.082] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd43ecce6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2cb2cd, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0099.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.082] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0099.082] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0099.083] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0099.083] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0099.083] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0099.083] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0099.083] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0099.083] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0099.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.083] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2=".") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="..") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="...") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="windows") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="$RECYCLE.BIN") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="rsa") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="NTDETECT.COM") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="ntldr") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="MSDOS.SYS") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="IO.SYS") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="boot.ini") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="AUTOEXEC.BAT") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="ntuser.dat") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="desktop.ini") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="CONFIG.SYS") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="RECYCLER") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="BOOTSECT.BAK") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="bootmgr") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="programdata") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="appdata") returned 1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="program files") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="program files (x86)") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="microsoft") returned -1 [0099.083] lstrcmpiW (lpString1="Cookies", lpString2="sophos") returned -1 [0099.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0099.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x2681278 [0099.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0099.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0099.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0099.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0099.084] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Cookies\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x9000009, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x2680000, nFileSizeLow=0x19c, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="desktop.", cAlternateFileName="ɛ⊺Ċዐɨቸɨ0")) returned 0xffffffff [0099.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0099.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0099.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0099.084] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82fba84, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x82fba84, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0099.084] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0099.085] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0099.085] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0099.085] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0099.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0099.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x26804b8 [0099.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0099.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0099.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0099.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0099.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.085] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82fba84, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x82fba84, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0099.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0099.085] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x82fba84, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x82fba84, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0099.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0099.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0099.085] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ce5500, ftCreationTime.dwHighDateTime=0x1d5f970, ftLastAccessTime.dwLowDateTime=0xf9ce5500, ftLastAccessTime.dwHighDateTime=0x1d5f970, ftLastWriteTime.dwLowDateTime=0xf76bfb00, ftLastWriteTime.dwHighDateTime=0x1d5f970, nFileSizeHigh=0x0, nFileSizeLow=0x11be0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="1.exe", cAlternateFileName="")) returned 1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2=".") returned 1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="..") returned 1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="...") returned 1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="windows") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="$RECYCLE.BIN") returned 1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="rsa") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="NTDETECT.COM") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="ntldr") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="MSDOS.SYS") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="IO.SYS") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="boot.ini") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="AUTOEXEC.BAT") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="ntuser.dat") returned -1 [0099.085] lstrcmpiW (lpString1="1.exe", lpString2="desktop.ini") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="CONFIG.SYS") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="RECYCLER") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="BOOTSECT.BAK") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="bootmgr") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="programdata") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="appdata") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="program files") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="program files (x86)") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="microsoft") returned -1 [0099.086] lstrcmpiW (lpString1="1.exe", lpString2="sophos") returned -1 [0099.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680508 [0099.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.086] PathFindExtensionW (pszPath="1.exe") returned=".exe" [0099.086] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0099.086] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d262540, ftCreationTime.dwHighDateTime=0x1d5efca, ftLastAccessTime.dwLowDateTime=0xb3cc4220, ftLastAccessTime.dwHighDateTime=0x1d5ed67, ftLastWriteTime.dwLowDateTime=0xb3cc4220, ftLastWriteTime.dwHighDateTime=0x1d5ed67, nFileSizeHigh=0x0, nFileSizeLow=0x8351, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="1TW9SdB_rYKNrSdh.xlsx", cAlternateFileName="1TW9SD~1.XLS")) returned 1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2=".") returned 1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="..") returned 1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="...") returned 1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="windows") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="rsa") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="NTDETECT.COM") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="ntldr") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="MSDOS.SYS") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="IO.SYS") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="boot.ini") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="AUTOEXEC.BAT") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="ntuser.dat") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="desktop.ini") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="CONFIG.SYS") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="RECYCLER") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="BOOTSECT.BAK") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="bootmgr") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="programdata") returned -1 [0099.086] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="appdata") returned -1 [0099.087] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="program files") returned -1 [0099.087] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="program files (x86)") returned -1 [0099.087] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="microsoft") returned -1 [0099.087] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="sophos") returned -1 [0099.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.087] PathFindExtensionW (pszPath="1TW9SdB_rYKNrSdh.xlsx") returned=".xlsx" [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0099.087] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0099.087] lstrcmpiW (lpString1="1TW9SdB_rYKNrSdh.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0099.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\1TW9SdB_rYKNrSdh.xlsx" (normalized: "c:\\users\\fd1hvy\\desktop\\1tw9sdb_ryknrsdh.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.087] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=33617) returned 1 [0099.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0099.088] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.088] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0099.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0099.088] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0099.088] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.089] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.089] GetTickCount () returned 0x1159f2a [0099.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0099.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0099.089] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8351, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.089] SetLastError (dwErrCode=0x0) [0099.089] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.138] GetLastError () returned 0x0 [0099.138] GetLastError () returned 0x0 [0099.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8451, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.138] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8551, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.138] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3615f265, dwHighDateTime=0x1d5f971)) [0099.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.138] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.138] GetProcessHeap () returned 0xbc0000 [0099.138] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8351) returned 0xbf1630 [0099.138] GetSystemDefaultLangID () returned 0xbd0409 [0099.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.138] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x8351, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x8351, lpOverlapped=0x0) returned 1 [0099.140] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.140] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x8351, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x8351, lpOverlapped=0x0) returned 1 [0099.140] GetProcessHeap () returned 0xbc0000 [0099.140] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.140] CloseHandle (hObject=0x26c) returned 1 [0099.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0099.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0099.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0099.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0099.186] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\1TW9SdB_rYKNrSdh.xlsx" (normalized: "c:\\users\\fd1hvy\\desktop\\1tw9sdb_ryknrsdh.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\1TW9SdB_rYKNrSdh.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\1tw9sdb_ryknrsdh.xlsx.nefilim")) returned 1 [0099.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0099.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.232] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8dc1f0, ftCreationTime.dwHighDateTime=0x1d5e2c1, ftLastAccessTime.dwLowDateTime=0xb08aeb40, ftLastAccessTime.dwHighDateTime=0x1d5ed92, ftLastWriteTime.dwLowDateTime=0xb08aeb40, ftLastWriteTime.dwHighDateTime=0x1d5ed92, nFileSizeHigh=0x0, nFileSizeLow=0xbf8f, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="3D6Vc1AFF.avi", cAlternateFileName="3D6VC1~1.AVI")) returned 1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2=".") returned 1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="..") returned 1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="...") returned 1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="windows") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="$RECYCLE.BIN") returned 1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="rsa") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="NTDETECT.COM") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="ntldr") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="MSDOS.SYS") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="IO.SYS") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="boot.ini") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="AUTOEXEC.BAT") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="ntuser.dat") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="desktop.ini") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="CONFIG.SYS") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="RECYCLER") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="BOOTSECT.BAK") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="bootmgr") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="programdata") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="appdata") returned -1 [0099.232] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="program files") returned -1 [0099.233] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="program files (x86)") returned -1 [0099.233] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="microsoft") returned -1 [0099.233] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="sophos") returned -1 [0099.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0099.233] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.233] PathFindExtensionW (pszPath="3D6Vc1AFF.avi") returned=".avi" [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0099.233] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0099.233] lstrcmpiW (lpString1="3D6Vc1AFF.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0099.233] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\3D6Vc1AFF.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\3d6vc1aff.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.233] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=49039) returned 1 [0099.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0099.234] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.234] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0099.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0099.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0099.234] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.234] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.234] GetTickCount () returned 0x1159fc7 [0099.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0099.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0099.234] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbf8f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.234] SetLastError (dwErrCode=0x0) [0099.234] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.235] GetLastError () returned 0x0 [0099.235] GetLastError () returned 0x0 [0099.235] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc08f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.235] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.235] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc18f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.235] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x36243f8a, dwHighDateTime=0x1d5f971)) [0099.235] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0099.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0099.236] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.236] GetProcessHeap () returned 0xbc0000 [0099.236] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xbf8f) returned 0xbf1630 [0099.236] GetSystemDefaultLangID () returned 0xbd0409 [0099.236] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.236] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xbf8f, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xbf8f, lpOverlapped=0x0) returned 1 [0099.238] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.238] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xbf8f, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xbf8f, lpOverlapped=0x0) returned 1 [0099.238] GetProcessHeap () returned 0xbc0000 [0099.238] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.239] CloseHandle (hObject=0x26c) returned 1 [0099.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0099.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0099.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0099.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.279] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\3D6Vc1AFF.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\3d6vc1aff.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\3D6Vc1AFF.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\3d6vc1aff.avi.nefilim")) returned 1 [0099.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.326] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6df0340, ftCreationTime.dwHighDateTime=0x1d5e0ec, ftLastAccessTime.dwLowDateTime=0x3d152ae0, ftLastAccessTime.dwHighDateTime=0x1d5e20c, ftLastWriteTime.dwLowDateTime=0x3d152ae0, ftLastWriteTime.dwHighDateTime=0x1d5e20c, nFileSizeHigh=0x0, nFileSizeLow=0x1945, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="48TEEGm6yn.mp3", cAlternateFileName="48TEEG~1.MP3")) returned 1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2=".") returned 1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="..") returned 1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="...") returned 1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="windows") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="$RECYCLE.BIN") returned 1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="rsa") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="NTDETECT.COM") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="ntldr") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="MSDOS.SYS") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="IO.SYS") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="boot.ini") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="AUTOEXEC.BAT") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="ntuser.dat") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="desktop.ini") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="CONFIG.SYS") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="RECYCLER") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="BOOTSECT.BAK") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="bootmgr") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="programdata") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="appdata") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="program files") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="program files (x86)") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="microsoft") returned -1 [0099.326] lstrcmpiW (lpString1="48TEEGm6yn.mp3", lpString2="sophos") returned -1 [0099.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0099.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.326] PathFindExtensionW (pszPath="48TEEGm6yn.mp3") returned=".mp3" [0099.326] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0099.326] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0099.326] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0099.326] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0099.327] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0099.327] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadce65e0, ftCreationTime.dwHighDateTime=0x1d5e1b6, ftLastAccessTime.dwLowDateTime=0x98941950, ftLastAccessTime.dwHighDateTime=0x1d5e0b6, ftLastWriteTime.dwLowDateTime=0x98941950, ftLastWriteTime.dwHighDateTime=0x1d5e0b6, nFileSizeHigh=0x0, nFileSizeLow=0x4d02, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="5-63KTalCPSot.avi", cAlternateFileName="5-63KT~1.AVI")) returned 1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2=".") returned 1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="..") returned 1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="...") returned 1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="windows") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="$RECYCLE.BIN") returned 1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="rsa") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="NTDETECT.COM") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="ntldr") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="MSDOS.SYS") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="IO.SYS") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="boot.ini") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="AUTOEXEC.BAT") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="ntuser.dat") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="desktop.ini") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="CONFIG.SYS") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="RECYCLER") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="BOOTSECT.BAK") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="bootmgr") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="programdata") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="appdata") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="program files") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="program files (x86)") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="microsoft") returned -1 [0099.327] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="sophos") returned -1 [0099.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.327] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.327] PathFindExtensionW (pszPath="5-63KTalCPSot.avi") returned=".avi" [0099.327] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0099.328] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0099.328] lstrcmpiW (lpString1="5-63KTalCPSot.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0099.328] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\5-63KTalCPSot.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\5-63ktalcpsot.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.328] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=19714) returned 1 [0099.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0099.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.328] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0099.328] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0099.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0099.328] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.329] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.329] GetTickCount () returned 0x115a024 [0099.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0099.329] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0099.329] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4d02, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.329] SetLastError (dwErrCode=0x0) [0099.329] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.330] GetLastError () returned 0x0 [0099.330] GetLastError () returned 0x0 [0099.330] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4e02, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.330] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.330] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4f02, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.330] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x36328ced, dwHighDateTime=0x1d5f971)) [0099.330] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.330] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.330] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.330] GetProcessHeap () returned 0xbc0000 [0099.330] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4d02) returned 0xbf1630 [0099.330] GetSystemDefaultLangID () returned 0xbd0409 [0099.330] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.330] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x4d02, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x4d02, lpOverlapped=0x0) returned 1 [0099.331] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.331] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x4d02, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x4d02, lpOverlapped=0x0) returned 1 [0099.331] GetProcessHeap () returned 0xbc0000 [0099.331] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.331] CloseHandle (hObject=0x26c) returned 1 [0099.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0099.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0099.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0099.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0099.372] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\5-63KTalCPSot.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\5-63ktalcpsot.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\5-63KTalCPSot.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\5-63ktalcpsot.avi.nefilim")) returned 1 [0099.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0099.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.419] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48415280, ftCreationTime.dwHighDateTime=0x1d5e271, ftLastAccessTime.dwLowDateTime=0xaaa90eb0, ftLastAccessTime.dwHighDateTime=0x1d5ef17, ftLastWriteTime.dwLowDateTime=0xaaa90eb0, ftLastWriteTime.dwHighDateTime=0x1d5ef17, nFileSizeHigh=0x0, nFileSizeLow=0x14491, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="A4kgp6t_mQ4-EAf1V.m4a", cAlternateFileName="A4KGP6~1.M4A")) returned 1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2=".") returned 1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="..") returned 1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="...") returned 1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="windows") returned -1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="$RECYCLE.BIN") returned 1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="rsa") returned -1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="NTDETECT.COM") returned -1 [0099.419] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="ntldr") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="MSDOS.SYS") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="IO.SYS") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="boot.ini") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="ntuser.dat") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="desktop.ini") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="CONFIG.SYS") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="RECYCLER") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="BOOTSECT.BAK") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="bootmgr") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="programdata") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="appdata") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="program files") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="program files (x86)") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="microsoft") returned -1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="sophos") returned -1 [0099.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0099.420] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.420] PathFindExtensionW (pszPath="A4kgp6t_mQ4-EAf1V.m4a") returned=".m4a" [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0099.420] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0099.420] lstrcmpiW (lpString1="A4kgp6t_mQ4-EAf1V.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.421] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\A4kgp6t_mQ4-EAf1V.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\a4kgp6t_mq4-eaf1v.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.421] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=83089) returned 1 [0099.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0099.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.421] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0099.421] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0099.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0099.421] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.421] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.421] GetTickCount () returned 0x115a082 [0099.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0099.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0099.421] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14491, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.422] SetLastError (dwErrCode=0x0) [0099.422] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.422] GetLastError () returned 0x0 [0099.422] GetLastError () returned 0x0 [0099.422] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14591, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.422] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.422] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x14691, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.423] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3640dc94, dwHighDateTime=0x1d5f971)) [0099.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.423] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.423] GetProcessHeap () returned 0xbc0000 [0099.423] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14491) returned 0xbf1630 [0099.423] GetSystemDefaultLangID () returned 0xbd0409 [0099.423] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.423] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x14491, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x14491, lpOverlapped=0x0) returned 1 [0099.427] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.427] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x14491, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x14491, lpOverlapped=0x0) returned 1 [0099.427] GetProcessHeap () returned 0xbc0000 [0099.427] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.427] CloseHandle (hObject=0x26c) returned 1 [0099.480] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0099.480] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0099.480] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0099.480] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.480] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0099.480] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\A4kgp6t_mQ4-EAf1V.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\a4kgp6t_mq4-eaf1v.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\A4kgp6t_mQ4-EAf1V.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\a4kgp6t_mq4-eaf1v.m4a.nefilim")) returned 1 [0099.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0099.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.577] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa76278c0, ftCreationTime.dwHighDateTime=0x1d5ea41, ftLastAccessTime.dwLowDateTime=0x555cb930, ftLastAccessTime.dwHighDateTime=0x1d5ed59, ftLastWriteTime.dwLowDateTime=0x555cb930, ftLastWriteTime.dwHighDateTime=0x1d5ed59, nFileSizeHigh=0x0, nFileSizeLow=0x33e3, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="aOpHgn1Yjf.bmp", cAlternateFileName="AOPHGN~1.BMP")) returned 1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2=".") returned 1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="..") returned 1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="...") returned 1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="windows") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="$RECYCLE.BIN") returned 1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="rsa") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="NTDETECT.COM") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="ntldr") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="MSDOS.SYS") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="IO.SYS") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="boot.ini") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="AUTOEXEC.BAT") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="ntuser.dat") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="desktop.ini") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="CONFIG.SYS") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="RECYCLER") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="BOOTSECT.BAK") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="bootmgr") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="programdata") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="appdata") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="program files") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="program files (x86)") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="microsoft") returned -1 [0099.577] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="sophos") returned -1 [0099.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0099.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.577] PathFindExtensionW (pszPath="aOpHgn1Yjf.bmp") returned=".bmp" [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0099.578] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0099.578] lstrcmpiW (lpString1="aOpHgn1Yjf.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0099.578] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\aOpHgn1Yjf.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\aophgn1yjf.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.578] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=13283) returned 1 [0099.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0099.578] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.578] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0099.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0099.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0099.578] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.579] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.579] GetTickCount () returned 0x115a11e [0099.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0099.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0099.579] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x33e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.579] SetLastError (dwErrCode=0x0) [0099.579] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.580] GetLastError () returned 0x0 [0099.580] GetLastError () returned 0x0 [0099.580] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x34e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.580] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.580] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x35e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.580] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3658b515, dwHighDateTime=0x1d5f971)) [0099.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0099.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0099.580] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.580] GetProcessHeap () returned 0xbc0000 [0099.580] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x33e3) returned 0xbf1630 [0099.580] GetSystemDefaultLangID () returned 0xbd0409 [0099.580] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.580] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x33e3, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x33e3, lpOverlapped=0x0) returned 1 [0099.581] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.581] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x33e3, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x33e3, lpOverlapped=0x0) returned 1 [0099.581] GetProcessHeap () returned 0xbc0000 [0099.581] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.581] CloseHandle (hObject=0x26c) returned 1 [0099.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0099.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0099.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0099.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.582] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\aOpHgn1Yjf.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\aophgn1yjf.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\aOpHgn1Yjf.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\aophgn1yjf.bmp.nefilim")) returned 1 [0099.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.582] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe07ca4d0, ftCreationTime.dwHighDateTime=0x1d5ea61, ftLastAccessTime.dwLowDateTime=0xb6c8d310, ftLastAccessTime.dwHighDateTime=0x1d5ee95, ftLastWriteTime.dwLowDateTime=0xb6c8d310, ftLastWriteTime.dwHighDateTime=0x1d5ee95, nFileSizeHigh=0x0, nFileSizeLow=0x13c38, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="B7SxniXjnL9_BREh_l5.m4a", cAlternateFileName="B7SXNI~1.M4A")) returned 1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2=".") returned 1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="..") returned 1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="...") returned 1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="windows") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="$RECYCLE.BIN") returned 1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="rsa") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="NTDETECT.COM") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="ntldr") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="MSDOS.SYS") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="IO.SYS") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="boot.ini") returned -1 [0099.582] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="ntuser.dat") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="desktop.ini") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="CONFIG.SYS") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="RECYCLER") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="BOOTSECT.BAK") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="bootmgr") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="programdata") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="appdata") returned 1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="program files") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="program files (x86)") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="microsoft") returned -1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="sophos") returned -1 [0099.583] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0099.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.583] PathFindExtensionW (pszPath="B7SxniXjnL9_BREh_l5.m4a") returned=".m4a" [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0099.583] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0099.583] lstrcmpiW (lpString1="B7SxniXjnL9_BREh_l5.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.583] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.583] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\B7SxniXjnL9_BREh_l5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\b7sxnixjnl9_breh_l5.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0099.584] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=80952) returned 1 [0099.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0099.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0099.584] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0099.584] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0099.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0099.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0099.584] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0099.584] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0099.585] GetTickCount () returned 0x115a11e [0099.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0099.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0099.585] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13c38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.585] SetLastError (dwErrCode=0x0) [0099.585] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.586] GetLastError () returned 0x0 [0099.586] GetLastError () returned 0x0 [0099.586] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13d38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.586] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0099.586] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13e38, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.586] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3658b515, dwHighDateTime=0x1d5f971)) [0099.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0099.586] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0099.586] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0099.587] GetProcessHeap () returned 0xbc0000 [0099.587] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13c38) returned 0xbf1630 [0099.587] GetSystemDefaultLangID () returned 0xbd0409 [0099.587] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.587] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x13c38, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x13c38, lpOverlapped=0x0) returned 1 [0099.704] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0099.704] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x13c38, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x13c38, lpOverlapped=0x0) returned 1 [0099.705] GetProcessHeap () returned 0xbc0000 [0099.705] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0099.705] CloseHandle (hObject=0x26c) returned 1 [0099.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0099.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0099.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0099.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0099.705] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0099.705] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\B7SxniXjnL9_BREh_l5.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\b7sxnixjnl9_breh_l5.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\B7SxniXjnL9_BREh_l5.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\b7sxnixjnl9_breh_l5.m4a.nefilim")) returned 1 [0099.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0099.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.706] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a095d0, ftCreationTime.dwHighDateTime=0x1d5e601, ftLastAccessTime.dwLowDateTime=0xc3e5d470, ftLastAccessTime.dwHighDateTime=0x1d5e6c6, ftLastWriteTime.dwLowDateTime=0xc3e5d470, ftLastWriteTime.dwHighDateTime=0x1d5e6c6, nFileSizeHigh=0x0, nFileSizeLow=0xc6ef, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="CB-xuRgVFHqn_.mp3", cAlternateFileName="CB-XUR~1.MP3")) returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2=".") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="..") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="...") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="windows") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="$RECYCLE.BIN") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="rsa") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="NTDETECT.COM") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="ntldr") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="MSDOS.SYS") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="IO.SYS") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="boot.ini") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="ntuser.dat") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="desktop.ini") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="CONFIG.SYS") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="RECYCLER") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="BOOTSECT.BAK") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="bootmgr") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="programdata") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="appdata") returned 1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="program files") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="program files (x86)") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="microsoft") returned -1 [0099.706] lstrcmpiW (lpString1="CB-xuRgVFHqn_.mp3", lpString2="sophos") returned -1 [0099.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0099.706] PathFindExtensionW (pszPath="CB-xuRgVFHqn_.mp3") returned=".mp3" [0099.706] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0099.706] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0099.706] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0099.706] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0099.707] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0099.707] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0099.707] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0099.707] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1ac2720, ftCreationTime.dwHighDateTime=0x1d5e510, ftLastAccessTime.dwLowDateTime=0x19fb4b50, ftLastAccessTime.dwHighDateTime=0x1d5e5dd, ftLastWriteTime.dwLowDateTime=0x19fb4b50, ftLastWriteTime.dwHighDateTime=0x1d5e5dd, nFileSizeHigh=0x0, nFileSizeLow=0x99cc, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="DET2zaLAF42rhu8.wav", cAlternateFileName="DET2ZA~1.WAV")) returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2=".") returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="..") returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="...") returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="windows") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="$RECYCLE.BIN") returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="rsa") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="NTDETECT.COM") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="ntldr") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="MSDOS.SYS") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="IO.SYS") returned -1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="boot.ini") returned 1 [0099.707] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="AUTOEXEC.BAT") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="ntuser.dat") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="desktop.ini") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="CONFIG.SYS") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="RECYCLER") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="BOOTSECT.BAK") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="bootmgr") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="programdata") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="appdata") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="program files") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="program files (x86)") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="microsoft") returned -1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="sophos") returned -1 [0099.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0099.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0099.708] PathFindExtensionW (pszPath="DET2zaLAF42rhu8.wav") returned=".wav" [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0099.708] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0099.708] lstrcmpiW (lpString1="DET2zaLAF42rhu8.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0099.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0099.708] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\DET2zaLAF42rhu8.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\det2zalaf42rhu8.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.261] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=39372) returned 1 [0103.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.261] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.261] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0103.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.261] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.263] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.264] GetTickCount () returned 0x115af86 [0103.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0103.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0103.264] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x99cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.264] SetLastError (dwErrCode=0x0) [0103.264] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.265] GetLastError () returned 0x0 [0103.265] GetLastError () returned 0x0 [0103.265] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9acc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.265] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.265] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9bcc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.265] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x388b6021, dwHighDateTime=0x1d5f971)) [0103.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.265] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.265] GetProcessHeap () returned 0xbc0000 [0103.265] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x99cc) returned 0xbf1630 [0103.265] GetSystemDefaultLangID () returned 0xbd0409 [0103.265] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.265] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x99cc, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x99cc, lpOverlapped=0x0) returned 1 [0103.268] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.268] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x99cc, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x99cc, lpOverlapped=0x0) returned 1 [0103.268] GetProcessHeap () returned 0xbc0000 [0103.268] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.268] CloseHandle (hObject=0x26c) returned 1 [0103.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0103.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.268] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\DET2zaLAF42rhu8.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\det2zalaf42rhu8.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\DET2zaLAF42rhu8.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\det2zalaf42rhu8.wav.nefilim")) returned 1 [0103.269] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.269] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.269] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f82ff90, ftCreationTime.dwHighDateTime=0x1d5ee2c, ftLastAccessTime.dwLowDateTime=0x7c8d9570, ftLastAccessTime.dwHighDateTime=0x1d5ec9a, ftLastWriteTime.dwLowDateTime=0x7c8d9570, ftLastWriteTime.dwHighDateTime=0x1d5ec9a, nFileSizeHigh=0x0, nFileSizeLow=0xc536, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="e6_7HdfD2 NprSG.avi", cAlternateFileName="E6_7HD~1.AVI")) returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2=".") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="..") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="...") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="windows") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="$RECYCLE.BIN") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="rsa") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="NTDETECT.COM") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="ntldr") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="MSDOS.SYS") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="IO.SYS") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="boot.ini") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="AUTOEXEC.BAT") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="ntuser.dat") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="desktop.ini") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="CONFIG.SYS") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="RECYCLER") returned -1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="BOOTSECT.BAK") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="bootmgr") returned 1 [0103.269] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="programdata") returned -1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="appdata") returned 1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="program files") returned -1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="program files (x86)") returned -1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="microsoft") returned -1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="sophos") returned -1 [0103.270] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.270] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.270] PathFindExtensionW (pszPath="e6_7HdfD2 NprSG.avi") returned=".avi" [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0103.270] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0103.270] lstrcmpiW (lpString1="e6_7HdfD2 NprSG.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.270] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.270] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\e6_7HdfD2 NprSG.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\e6_7hdfd2 nprsg.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.270] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=50486) returned 1 [0103.270] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.271] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.271] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0103.271] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.271] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.272] GetTickCount () returned 0x115af86 [0103.272] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0103.272] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0103.272] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc536, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.272] SetLastError (dwErrCode=0x0) [0103.272] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.273] GetLastError () returned 0x0 [0103.273] GetLastError () returned 0x0 [0103.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc636, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.273] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc736, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.273] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x388b6021, dwHighDateTime=0x1d5f971)) [0103.273] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.273] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.273] GetProcessHeap () returned 0xbc0000 [0103.273] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xc536) returned 0xbf1630 [0103.274] GetSystemDefaultLangID () returned 0xbd0409 [0103.274] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.274] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xc536, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xc536, lpOverlapped=0x0) returned 1 [0103.277] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.277] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xc536, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xc536, lpOverlapped=0x0) returned 1 [0103.277] GetProcessHeap () returned 0xbc0000 [0103.277] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.279] CloseHandle (hObject=0x26c) returned 1 [0103.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0103.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.279] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\e6_7HdfD2 NprSG.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\e6_7hdfd2 nprsg.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\e6_7HdfD2 NprSG.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\e6_7hdfd2 nprsg.avi.nefilim")) returned 1 [0103.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.280] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33e4b3f0, ftCreationTime.dwHighDateTime=0x1d5e6d0, ftLastAccessTime.dwLowDateTime=0xb9ab7080, ftLastAccessTime.dwHighDateTime=0x1d5ebeb, ftLastWriteTime.dwLowDateTime=0xb9ab7080, ftLastWriteTime.dwHighDateTime=0x1d5ebeb, nFileSizeHigh=0x0, nFileSizeLow=0xca61, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="EilVUjIIPsRAx9--Hot.docx", cAlternateFileName="EILVUJ~1.DOC")) returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2=".") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="..") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="...") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="windows") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="$RECYCLE.BIN") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="rsa") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="NTDETECT.COM") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="ntldr") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="MSDOS.SYS") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="IO.SYS") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="boot.ini") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="AUTOEXEC.BAT") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="ntuser.dat") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="desktop.ini") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="CONFIG.SYS") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="RECYCLER") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="BOOTSECT.BAK") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="bootmgr") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="programdata") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="appdata") returned 1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="program files") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="program files (x86)") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="microsoft") returned -1 [0103.280] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="sophos") returned -1 [0103.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680508 [0103.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.280] PathFindExtensionW (pszPath="EilVUjIIPsRAx9--Hot.docx") returned=".docx" [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0103.281] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0103.281] lstrcmpiW (lpString1="EilVUjIIPsRAx9--Hot.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0103.281] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\EilVUjIIPsRAx9--Hot.docx" (normalized: "c:\\users\\fd1hvy\\desktop\\eilvujiipsrax9--hot.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.281] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=51809) returned 1 [0103.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.281] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.281] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.281] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.284] GetTickCount () returned 0x115af95 [0103.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0103.284] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0103.284] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xca61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.284] SetLastError (dwErrCode=0x0) [0103.284] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.284] GetLastError () returned 0x0 [0103.285] GetLastError () returned 0x0 [0103.285] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcb61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.285] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.285] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcc61, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.285] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x388dc312, dwHighDateTime=0x1d5f971)) [0103.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.285] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.285] GetProcessHeap () returned 0xbc0000 [0103.285] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xca61) returned 0xbf1630 [0103.286] GetSystemDefaultLangID () returned 0xbd0409 [0103.286] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.286] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xca61, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xca61, lpOverlapped=0x0) returned 1 [0103.289] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.289] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xca61, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xca61, lpOverlapped=0x0) returned 1 [0103.289] GetProcessHeap () returned 0xbc0000 [0103.289] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.290] CloseHandle (hObject=0x26c) returned 1 [0103.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0103.290] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\EilVUjIIPsRAx9--Hot.docx" (normalized: "c:\\users\\fd1hvy\\desktop\\eilvujiipsrax9--hot.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\EilVUjIIPsRAx9--Hot.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\eilvujiipsrax9--hot.docx.nefilim")) returned 1 [0103.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0103.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.291] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53d56b10, ftCreationTime.dwHighDateTime=0x1d5e7b5, ftLastAccessTime.dwLowDateTime=0xf50e0f0, ftLastAccessTime.dwHighDateTime=0x1d5e111, ftLastWriteTime.dwLowDateTime=0xf50e0f0, ftLastWriteTime.dwHighDateTime=0x1d5e111, nFileSizeHigh=0x0, nFileSizeLow=0x1705f, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="geAiGPcb5FHg1.avi", cAlternateFileName="GEAIGP~1.AVI")) returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2=".") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="..") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="...") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="windows") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="$RECYCLE.BIN") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="rsa") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="NTDETECT.COM") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="ntldr") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="MSDOS.SYS") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="IO.SYS") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="boot.ini") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="AUTOEXEC.BAT") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="ntuser.dat") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="desktop.ini") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="CONFIG.SYS") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="RECYCLER") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="BOOTSECT.BAK") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="bootmgr") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="programdata") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="appdata") returned 1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="program files") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="program files (x86)") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="microsoft") returned -1 [0103.291] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="sophos") returned -1 [0103.291] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.291] PathFindExtensionW (pszPath="geAiGPcb5FHg1.avi") returned=".avi" [0103.291] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0103.291] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0103.291] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0103.292] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0103.292] lstrcmpiW (lpString1="geAiGPcb5FHg1.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.292] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\geAiGPcb5FHg1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\geaigpcb5fhg1.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.292] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=94303) returned 1 [0103.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.292] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.292] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.292] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.349] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.349] GetTickCount () returned 0x115afd4 [0103.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0103.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0103.350] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1705f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.350] SetLastError (dwErrCode=0x0) [0103.350] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.351] GetLastError () returned 0x0 [0103.351] GetLastError () returned 0x0 [0103.351] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1715f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.351] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.351] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1725f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.351] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38974bb0, dwHighDateTime=0x1d5f971)) [0103.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.351] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.351] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.351] GetProcessHeap () returned 0xbc0000 [0103.351] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1705f) returned 0xbf1630 [0103.351] GetSystemDefaultLangID () returned 0xbd0409 [0103.351] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.351] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1705f, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1705f, lpOverlapped=0x0) returned 1 [0103.356] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.356] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1705f, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1705f, lpOverlapped=0x0) returned 1 [0103.357] GetProcessHeap () returned 0xbc0000 [0103.357] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.357] CloseHandle (hObject=0x26c) returned 1 [0103.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.357] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\geAiGPcb5FHg1.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\geaigpcb5fhg1.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\geAiGPcb5FHg1.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\geaigpcb5fhg1.avi.nefilim")) returned 1 [0103.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.358] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a7b320, ftCreationTime.dwHighDateTime=0x1d5e230, ftLastAccessTime.dwLowDateTime=0x4a273ac0, ftLastAccessTime.dwHighDateTime=0x1d5efbd, ftLastWriteTime.dwLowDateTime=0x4a273ac0, ftLastWriteTime.dwHighDateTime=0x1d5efbd, nFileSizeHigh=0x0, nFileSizeLow=0xd48b, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="GEF2WVNfrMeJz.jpg", cAlternateFileName="GEF2WV~1.JPG")) returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2=".") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="..") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="...") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="windows") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="$RECYCLE.BIN") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="rsa") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="NTDETECT.COM") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="ntldr") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="MSDOS.SYS") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="IO.SYS") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="boot.ini") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="ntuser.dat") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="desktop.ini") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="CONFIG.SYS") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="RECYCLER") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="BOOTSECT.BAK") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="bootmgr") returned 1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="programdata") returned -1 [0103.358] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="appdata") returned 1 [0103.359] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="program files") returned -1 [0103.359] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="program files (x86)") returned -1 [0103.359] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="microsoft") returned -1 [0103.359] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="sophos") returned -1 [0103.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.359] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.359] PathFindExtensionW (pszPath="GEF2WVNfrMeJz.jpg") returned=".jpg" [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0103.359] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0103.359] lstrcmpiW (lpString1="GEF2WVNfrMeJz.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\GEF2WVNfrMeJz.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\gef2wvnfrmejz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.359] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=54411) returned 1 [0103.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.359] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.360] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.360] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.361] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.362] GetTickCount () returned 0x115afe4 [0103.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0103.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0103.362] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd48b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.362] SetLastError (dwErrCode=0x0) [0103.362] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.363] GetLastError () returned 0x0 [0103.363] GetLastError () returned 0x0 [0103.363] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd58b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.363] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.363] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd68b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.363] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3899dbb7, dwHighDateTime=0x1d5f971)) [0103.363] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.363] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.363] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.363] GetProcessHeap () returned 0xbc0000 [0103.363] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd48b) returned 0xbf1630 [0103.363] GetSystemDefaultLangID () returned 0xbd0409 [0103.363] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.363] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xd48b, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xd48b, lpOverlapped=0x0) returned 1 [0103.366] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.366] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xd48b, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xd48b, lpOverlapped=0x0) returned 1 [0103.366] GetProcessHeap () returned 0xbc0000 [0103.366] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.366] CloseHandle (hObject=0x26c) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.367] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\GEF2WVNfrMeJz.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\gef2wvnfrmejz.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\GEF2WVNfrMeJz.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\gef2wvnfrmejz.jpg.nefilim")) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.367] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc54840, ftCreationTime.dwHighDateTime=0x1d5e84c, ftLastAccessTime.dwLowDateTime=0xe7a2c640, ftLastAccessTime.dwHighDateTime=0x1d5e2ff, ftLastWriteTime.dwLowDateTime=0xe7a2c640, ftLastWriteTime.dwHighDateTime=0x1d5e2ff, nFileSizeHigh=0x0, nFileSizeLow=0xf0d4, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="IKorNLwg2va0.flv", cAlternateFileName="IKORNL~1.FLV")) returned 1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2=".") returned 1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="..") returned 1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="...") returned 1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="windows") returned -1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="$RECYCLE.BIN") returned 1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="rsa") returned -1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="NTDETECT.COM") returned -1 [0103.367] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="ntldr") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="MSDOS.SYS") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="IO.SYS") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="boot.ini") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="AUTOEXEC.BAT") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="ntuser.dat") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="desktop.ini") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="CONFIG.SYS") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="RECYCLER") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="BOOTSECT.BAK") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="bootmgr") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="programdata") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="appdata") returned 1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="program files") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="program files (x86)") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="microsoft") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="sophos") returned -1 [0103.368] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.368] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.368] PathFindExtensionW (pszPath="IKorNLwg2va0.flv") returned=".flv" [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0103.368] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0103.368] lstrcmpiW (lpString1="IKorNLwg2va0.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.368] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.369] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\IKorNLwg2va0.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\ikornlwg2va0.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.369] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=61652) returned 1 [0103.369] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.369] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.369] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.369] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.369] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.369] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.369] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.369] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.370] GetTickCount () returned 0x115afe4 [0103.370] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0103.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0103.370] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf0d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.370] SetLastError (dwErrCode=0x0) [0103.370] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.371] GetLastError () returned 0x0 [0103.371] GetLastError () returned 0x0 [0103.371] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf1d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.371] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.371] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf2d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.371] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x389c0ec8, dwHighDateTime=0x1d5f971)) [0103.371] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.371] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.372] GetProcessHeap () returned 0xbc0000 [0103.372] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf0d4) returned 0xbf1630 [0103.372] GetSystemDefaultLangID () returned 0xbd0409 [0103.372] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.372] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xf0d4, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xf0d4, lpOverlapped=0x0) returned 1 [0103.456] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.456] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xf0d4, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xf0d4, lpOverlapped=0x0) returned 1 [0103.456] GetProcessHeap () returned 0xbc0000 [0103.456] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.457] CloseHandle (hObject=0x26c) returned 1 [0103.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.457] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.458] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\IKorNLwg2va0.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\ikornlwg2va0.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\IKorNLwg2va0.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\ikornlwg2va0.flv.nefilim")) returned 1 [0103.458] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.458] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.458] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda9779f0, ftCreationTime.dwHighDateTime=0x1d5e822, ftLastAccessTime.dwLowDateTime=0x19b971f0, ftLastAccessTime.dwHighDateTime=0x1d5e73e, ftLastWriteTime.dwLowDateTime=0x19b971f0, ftLastWriteTime.dwHighDateTime=0x1d5e73e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="iPRzSiHTAUeyM-d", cAlternateFileName="IPRZSI~1")) returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2=".") returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="..") returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="...") returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="windows") returned -1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="$RECYCLE.BIN") returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="rsa") returned -1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="NTDETECT.COM") returned -1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="ntldr") returned -1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="MSDOS.SYS") returned -1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="IO.SYS") returned 1 [0103.458] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="boot.ini") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="AUTOEXEC.BAT") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="ntuser.dat") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="desktop.ini") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="CONFIG.SYS") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="RECYCLER") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="BOOTSECT.BAK") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="bootmgr") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="programdata") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="appdata") returned 1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="program files") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="program files (x86)") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="microsoft") returned -1 [0103.459] lstrcmpiW (lpString1="iPRzSiHTAUeyM-d", lpString2="sophos") returned -1 [0103.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0103.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x2680508 [0103.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0103.459] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0103.459] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda9779f0, ftCreationTime.dwHighDateTime=0x1d5e822, ftLastAccessTime.dwLowDateTime=0x19b971f0, ftLastAccessTime.dwHighDateTime=0x1d5e73e, ftLastWriteTime.dwLowDateTime=0x19b971f0, ftLastWriteTime.dwHighDateTime=0x1d5e73e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0103.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0103.459] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda9779f0, ftCreationTime.dwHighDateTime=0x1d5e822, ftLastAccessTime.dwLowDateTime=0x19b971f0, ftLastAccessTime.dwHighDateTime=0x1d5e73e, ftLastWriteTime.dwLowDateTime=0x19b971f0, ftLastWriteTime.dwHighDateTime=0x1d5e73e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="..", cAlternateFileName="")) returned 1 [0103.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0103.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0103.460] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301368f0, ftCreationTime.dwHighDateTime=0x1d5e515, ftLastAccessTime.dwLowDateTime=0x5b9bfa70, ftLastAccessTime.dwHighDateTime=0x1d5e662, ftLastWriteTime.dwLowDateTime=0x5b9bfa70, ftLastWriteTime.dwHighDateTime=0x1d5e662, nFileSizeHigh=0x0, nFileSizeLow=0xfdb2, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="1vklh8M8Z8dNT7GK8u.jpg", cAlternateFileName="1VKLH8~1.JPG")) returned 1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2=".") returned 1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="..") returned 1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="...") returned 1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="windows") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="$RECYCLE.BIN") returned 1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="rsa") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="NTDETECT.COM") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="ntldr") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="MSDOS.SYS") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="IO.SYS") returned -1 [0103.460] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="boot.ini") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="ntuser.dat") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="desktop.ini") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="CONFIG.SYS") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="RECYCLER") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="BOOTSECT.BAK") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="bootmgr") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="programdata") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="appdata") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="program files") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="program files (x86)") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="microsoft") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="sophos") returned -1 [0103.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bdf8 [0103.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.461] PathFindExtensionW (pszPath="1vklh8M8Z8dNT7GK8u.jpg") returned=".jpg" [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0103.461] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0103.461] lstrcmpiW (lpString1="1vklh8M8Z8dNT7GK8u.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.461] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.462] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\1vklh8M8Z8dNT7GK8u.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\1vklh8m8z8dnt7gk8u.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.462] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=64946) returned 1 [0103.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.462] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.462] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.462] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.462] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.463] GetTickCount () returned 0x115b041 [0103.463] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0103.463] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0103.463] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfdb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.463] SetLastError (dwErrCode=0x0) [0103.463] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.464] GetLastError () returned 0x0 [0103.464] GetLastError () returned 0x0 [0103.464] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfeb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.464] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.464] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xffb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.464] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38a7fb80, dwHighDateTime=0x1d5f971)) [0103.464] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.464] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.464] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.464] GetProcessHeap () returned 0xbc0000 [0103.464] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfdb2) returned 0xbf2638 [0103.464] GetSystemDefaultLangID () returned 0xbd0409 [0103.464] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.464] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xfdb2, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xfdb2, lpOverlapped=0x0) returned 1 [0103.481] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.481] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xfdb2, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xfdb2, lpOverlapped=0x0) returned 1 [0103.481] GetProcessHeap () returned 0xbc0000 [0103.481] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.481] CloseHandle (hObject=0x270) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.482] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0103.482] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\1vklh8M8Z8dNT7GK8u.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\1vklh8m8z8dnt7gk8u.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\1vklh8M8Z8dNT7GK8u.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\1vklh8m8z8dnt7gk8u.jpg.nefilim")) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0103.482] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.482] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94b65b60, ftCreationTime.dwHighDateTime=0x1d5eaa5, ftLastAccessTime.dwLowDateTime=0x20dd4030, ftLastAccessTime.dwHighDateTime=0x1d5e34f, ftLastWriteTime.dwLowDateTime=0x20dd4030, ftLastWriteTime.dwHighDateTime=0x1d5e34f, nFileSizeHigh=0x0, nFileSizeLow=0xb059, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="72x6.m4a", cAlternateFileName="")) returned 1 [0103.482] lstrcmpiW (lpString1="72x6.m4a", lpString2=".") returned 1 [0103.482] lstrcmpiW (lpString1="72x6.m4a", lpString2="..") returned 1 [0103.482] lstrcmpiW (lpString1="72x6.m4a", lpString2="...") returned 1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="windows") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="$RECYCLE.BIN") returned 1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="rsa") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="NTDETECT.COM") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="ntldr") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="MSDOS.SYS") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="IO.SYS") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="boot.ini") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="ntuser.dat") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="desktop.ini") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="CONFIG.SYS") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="RECYCLER") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="BOOTSECT.BAK") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="bootmgr") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="programdata") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="appdata") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="program files") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="program files (x86)") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="microsoft") returned -1 [0103.483] lstrcmpiW (lpString1="72x6.m4a", lpString2="sophos") returned -1 [0103.483] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0103.483] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0103.483] PathFindExtensionW (pszPath="72x6.m4a") returned=".m4a" [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0103.483] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0103.484] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0103.484] lstrcmpiW (lpString1="72x6.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.484] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\72x6.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\72x6.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.484] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=45145) returned 1 [0103.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.484] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.484] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.484] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0103.484] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.486] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.487] GetTickCount () returned 0x115b061 [0103.487] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0103.487] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0103.487] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb059, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.487] SetLastError (dwErrCode=0x0) [0103.487] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.488] GetLastError () returned 0x0 [0103.488] GetLastError () returned 0x0 [0103.488] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb159, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.488] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.488] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb259, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.488] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38acbdc0, dwHighDateTime=0x1d5f971)) [0103.488] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.488] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.488] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.488] GetProcessHeap () returned 0xbc0000 [0103.488] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xb059) returned 0xbf2638 [0103.489] GetSystemDefaultLangID () returned 0xbd0409 [0103.489] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.489] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xb059, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xb059, lpOverlapped=0x0) returned 1 [0103.491] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.491] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xb059, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xb059, lpOverlapped=0x0) returned 1 [0103.491] GetProcessHeap () returned 0xbc0000 [0103.491] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.491] CloseHandle (hObject=0x270) returned 1 [0103.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0103.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.491] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.492] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0103.492] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\72x6.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\72x6.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\72x6.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\72x6.m4a.nefilim")) returned 1 [0103.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.492] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.492] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x228adc10, ftCreationTime.dwHighDateTime=0x1d5e0d1, ftLastAccessTime.dwLowDateTime=0x1c002dd0, ftLastAccessTime.dwHighDateTime=0x1d5f127, ftLastWriteTime.dwLowDateTime=0x1c002dd0, ftLastWriteTime.dwHighDateTime=0x1d5f127, nFileSizeHigh=0x0, nFileSizeLow=0x2c90, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="9QjQWE.m4a", cAlternateFileName="")) returned 1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2=".") returned 1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="..") returned 1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="...") returned 1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="windows") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="$RECYCLE.BIN") returned 1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="rsa") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="NTDETECT.COM") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="ntldr") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="MSDOS.SYS") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="IO.SYS") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="boot.ini") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0103.492] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="ntuser.dat") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="desktop.ini") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="CONFIG.SYS") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="RECYCLER") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="BOOTSECT.BAK") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="bootmgr") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="programdata") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="appdata") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="program files") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="program files (x86)") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="microsoft") returned -1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="sophos") returned -1 [0103.493] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.493] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.493] PathFindExtensionW (pszPath="9QjQWE.m4a") returned=".m4a" [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0103.493] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0103.493] lstrcmpiW (lpString1="9QjQWE.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.493] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0103.493] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\9QjQWE.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\9qjqwe.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.494] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=11408) returned 1 [0103.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0103.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.494] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0103.494] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.494] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.495] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.496] GetTickCount () returned 0x115b061 [0103.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0103.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0103.496] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2c90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.496] SetLastError (dwErrCode=0x0) [0103.496] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.497] GetLastError () returned 0x0 [0103.497] GetLastError () returned 0x0 [0103.497] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2d90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.497] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.497] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2e90, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.497] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38af2178, dwHighDateTime=0x1d5f971)) [0103.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.497] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.498] GetProcessHeap () returned 0xbc0000 [0103.498] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2c90) returned 0xbf2638 [0103.498] GetSystemDefaultLangID () returned 0xbd0409 [0103.498] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.498] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2c90, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2c90, lpOverlapped=0x0) returned 1 [0103.498] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.498] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2c90, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2c90, lpOverlapped=0x0) returned 1 [0103.498] GetProcessHeap () returned 0xbc0000 [0103.498] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.499] CloseHandle (hObject=0x270) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.499] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\9QjQWE.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\9qjqwe.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\9QjQWE.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\9qjqwe.m4a.nefilim")) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.499] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x191f6e60, ftCreationTime.dwHighDateTime=0x1d5e69a, ftLastAccessTime.dwLowDateTime=0x6e6d8130, ftLastAccessTime.dwHighDateTime=0x1d5e75e, ftLastWriteTime.dwLowDateTime=0x6e6d8130, ftLastWriteTime.dwHighDateTime=0x1d5e75e, nFileSizeHigh=0x0, nFileSizeLow=0xaf23, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="AH26 AoUwpqqprq.jpg", cAlternateFileName="AH26AO~1.JPG")) returned 1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2=".") returned 1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="..") returned 1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="...") returned 1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="windows") returned -1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="$RECYCLE.BIN") returned 1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="rsa") returned -1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="NTDETECT.COM") returned -1 [0103.499] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="ntldr") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="MSDOS.SYS") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="IO.SYS") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="boot.ini") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="ntuser.dat") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="desktop.ini") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="CONFIG.SYS") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="RECYCLER") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="BOOTSECT.BAK") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="bootmgr") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="programdata") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="appdata") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="program files") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="program files (x86)") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="microsoft") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="sophos") returned -1 [0103.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0103.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.500] PathFindExtensionW (pszPath="AH26 AoUwpqqprq.jpg") returned=".jpg" [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0103.500] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0103.500] lstrcmpiW (lpString1="AH26 AoUwpqqprq.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.501] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\AH26 AoUwpqqprq.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ah26 aouwpqqprq.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.501] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=44835) returned 1 [0103.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.501] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.501] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.501] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.502] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.503] GetTickCount () returned 0x115b070 [0103.503] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0103.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0103.503] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xaf23, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.503] SetLastError (dwErrCode=0x0) [0103.503] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.504] GetLastError () returned 0x0 [0103.504] GetLastError () returned 0x0 [0103.504] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb023, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.504] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.504] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb123, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.504] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38af2178, dwHighDateTime=0x1d5f971)) [0103.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0103.504] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0103.504] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.505] GetProcessHeap () returned 0xbc0000 [0103.505] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xaf23) returned 0xbf2638 [0103.505] GetSystemDefaultLangID () returned 0xbd0409 [0103.505] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.505] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xaf23, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xaf23, lpOverlapped=0x0) returned 1 [0103.507] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.507] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xaf23, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xaf23, lpOverlapped=0x0) returned 1 [0103.507] GetProcessHeap () returned 0xbc0000 [0103.507] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.507] CloseHandle (hObject=0x270) returned 1 [0103.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0103.508] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\AH26 AoUwpqqprq.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ah26 aouwpqqprq.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\AH26 AoUwpqqprq.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ah26 aouwpqqprq.jpg.nefilim")) returned 1 [0103.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0103.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.508] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c441360, ftCreationTime.dwHighDateTime=0x1d5e1f2, ftLastAccessTime.dwLowDateTime=0x656f73e0, ftLastAccessTime.dwHighDateTime=0x1d5f05f, ftLastWriteTime.dwLowDateTime=0x656f73e0, ftLastWriteTime.dwHighDateTime=0x1d5f05f, nFileSizeHigh=0x0, nFileSizeLow=0x149fc, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="Aitz_oAcE1YBhfs.mp4", cAlternateFileName="AITZ_O~1.MP4")) returned 1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2=".") returned 1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="..") returned 1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="...") returned 1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="windows") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="$RECYCLE.BIN") returned 1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="rsa") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="NTDETECT.COM") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="ntldr") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="MSDOS.SYS") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="IO.SYS") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="boot.ini") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="ntuser.dat") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="desktop.ini") returned -1 [0103.508] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="CONFIG.SYS") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="RECYCLER") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="BOOTSECT.BAK") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="bootmgr") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="programdata") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="appdata") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="program files") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="program files (x86)") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="microsoft") returned -1 [0103.509] lstrcmpiW (lpString1="Aitz_oAcE1YBhfs.mp4", lpString2="sophos") returned -1 [0103.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.509] PathFindExtensionW (pszPath="Aitz_oAcE1YBhfs.mp4") returned=".mp4" [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0103.509] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0103.509] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71b9b820, ftCreationTime.dwHighDateTime=0x1d5e3ff, ftLastAccessTime.dwLowDateTime=0x3a2db140, ftLastAccessTime.dwHighDateTime=0x1d5e6c0, ftLastWriteTime.dwLowDateTime=0x3a2db140, ftLastWriteTime.dwHighDateTime=0x1d5e6c0, nFileSizeHigh=0x0, nFileSizeLow=0x104ba, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="FsxDVopEe uQxzWpS2L.mp3", cAlternateFileName="FSXDVO~1.MP3")) returned 1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2=".") returned 1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="..") returned 1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="...") returned 1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="windows") returned -1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="$RECYCLE.BIN") returned 1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="rsa") returned -1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="NTDETECT.COM") returned -1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="ntldr") returned -1 [0103.509] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="MSDOS.SYS") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="IO.SYS") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="boot.ini") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="ntuser.dat") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="desktop.ini") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="CONFIG.SYS") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="RECYCLER") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="BOOTSECT.BAK") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="bootmgr") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="programdata") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="appdata") returned 1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="program files") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="program files (x86)") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="microsoft") returned -1 [0103.510] lstrcmpiW (lpString1="FsxDVopEe uQxzWpS2L.mp3", lpString2="sophos") returned -1 [0103.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0103.510] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.510] PathFindExtensionW (pszPath="FsxDVopEe uQxzWpS2L.mp3") returned=".mp3" [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0103.510] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0103.510] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a5ce190, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x80ab88b0, ftLastAccessTime.dwHighDateTime=0x1d5e303, ftLastWriteTime.dwLowDateTime=0x80ab88b0, ftLastWriteTime.dwHighDateTime=0x1d5e303, nFileSizeHigh=0x0, nFileSizeLow=0x13c25, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="mUBh833FbaP0FHbPF6.flv", cAlternateFileName="MUBH83~1.FLV")) returned 1 [0103.510] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2=".") returned 1 [0103.510] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="..") returned 1 [0103.510] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="...") returned 1 [0103.510] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="windows") returned -1 [0103.510] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="$RECYCLE.BIN") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="rsa") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="NTDETECT.COM") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="ntldr") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="MSDOS.SYS") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="IO.SYS") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="boot.ini") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="AUTOEXEC.BAT") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="ntuser.dat") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="desktop.ini") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="CONFIG.SYS") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="RECYCLER") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="BOOTSECT.BAK") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="bootmgr") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="programdata") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="appdata") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="program files") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="program files (x86)") returned -1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="microsoft") returned 1 [0103.511] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="sophos") returned -1 [0103.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0103.511] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.511] PathFindExtensionW (pszPath="mUBh833FbaP0FHbPF6.flv") returned=".flv" [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0103.511] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0103.512] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0103.512] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0103.512] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0103.512] lstrcmpiW (lpString1="mUBh833FbaP0FHbPF6.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.512] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0103.512] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\mUBh833FbaP0FHbPF6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\mubh833fbap0fhbpf6.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.512] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=80933) returned 1 [0103.512] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.512] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.572] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.572] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0103.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0103.572] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.572] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.572] GetTickCount () returned 0x115b0af [0103.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0103.572] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0103.572] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13c25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.572] SetLastError (dwErrCode=0x0) [0103.573] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.573] GetLastError () returned 0x0 [0103.573] GetLastError () returned 0x0 [0103.573] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13d25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.573] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.574] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13e25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.574] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38b8aaa0, dwHighDateTime=0x1d5f971)) [0103.574] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.574] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.574] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.574] GetProcessHeap () returned 0xbc0000 [0103.574] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13c25) returned 0xbf2638 [0103.574] GetSystemDefaultLangID () returned 0xbd0409 [0103.574] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.574] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13c25, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13c25, lpOverlapped=0x0) returned 1 [0103.579] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.579] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13c25, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13c25, lpOverlapped=0x0) returned 1 [0103.579] GetProcessHeap () returned 0xbc0000 [0103.579] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.579] CloseHandle (hObject=0x270) returned 1 [0103.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0103.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0103.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0103.579] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\mUBh833FbaP0FHbPF6.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\mubh833fbap0fhbpf6.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\mUBh833FbaP0FHbPF6.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\mubh833fbap0fhbpf6.flv.nefilim")) returned 1 [0103.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.580] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa930b7d0, ftCreationTime.dwHighDateTime=0x1d5ef1d, ftLastAccessTime.dwLowDateTime=0xf260d40, ftLastAccessTime.dwHighDateTime=0x1d5e20a, ftLastWriteTime.dwLowDateTime=0xf260d40, ftLastWriteTime.dwHighDateTime=0x1d5e20a, nFileSizeHigh=0x0, nFileSizeLow=0xd695, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="no7udHEXBi03rrFIb.gif", cAlternateFileName="NO7UDH~1.GIF")) returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2=".") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="..") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="...") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="windows") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="$RECYCLE.BIN") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="rsa") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="NTDETECT.COM") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="ntldr") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="MSDOS.SYS") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="IO.SYS") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="boot.ini") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="AUTOEXEC.BAT") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="ntuser.dat") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="desktop.ini") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="CONFIG.SYS") returned 1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="RECYCLER") returned -1 [0103.580] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="BOOTSECT.BAK") returned 1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="bootmgr") returned 1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="programdata") returned -1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="appdata") returned 1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="program files") returned -1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="program files (x86)") returned -1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="microsoft") returned 1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="sophos") returned -1 [0103.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0103.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0103.581] PathFindExtensionW (pszPath="no7udHEXBi03rrFIb.gif") returned=".gif" [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0103.581] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0103.581] lstrcmpiW (lpString1="no7udHEXBi03rrFIb.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0103.581] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\no7udHEXBi03rrFIb.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\no7udhexbi03rrfib.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.581] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=54933) returned 1 [0103.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.582] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.582] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.582] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.582] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.583] GetTickCount () returned 0x115b0be [0103.583] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0103.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0103.583] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd695, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.583] SetLastError (dwErrCode=0x0) [0103.583] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.584] GetLastError () returned 0x0 [0103.584] GetLastError () returned 0x0 [0103.584] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd795, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.584] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.584] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd895, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.584] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38bb0d16, dwHighDateTime=0x1d5f971)) [0103.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.584] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.584] GetProcessHeap () returned 0xbc0000 [0103.584] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd695) returned 0xbf2638 [0103.585] GetSystemDefaultLangID () returned 0xbd0409 [0103.585] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.585] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xd695, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xd695, lpOverlapped=0x0) returned 1 [0103.588] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.589] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xd695, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xd695, lpOverlapped=0x0) returned 1 [0103.589] GetProcessHeap () returned 0xbc0000 [0103.589] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.590] CloseHandle (hObject=0x270) returned 1 [0103.590] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.590] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.590] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.590] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0103.590] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\no7udHEXBi03rrFIb.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\no7udhexbi03rrfib.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\no7udHEXBi03rrFIb.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\no7udhexbi03rrfib.gif.nefilim")) returned 1 [0103.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0103.593] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4749930, ftCreationTime.dwHighDateTime=0x1d5f0d3, ftLastAccessTime.dwLowDateTime=0x48165710, ftLastAccessTime.dwHighDateTime=0x1d5e6f4, ftLastWriteTime.dwLowDateTime=0x48165710, ftLastWriteTime.dwHighDateTime=0x1d5e6f4, nFileSizeHigh=0x0, nFileSizeLow=0x9492, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="ojukZoQqW9uFnXdh.avi", cAlternateFileName="OJUKZO~1.AVI")) returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2=".") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="..") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="...") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="windows") returned -1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="$RECYCLE.BIN") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="rsa") returned -1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="NTDETECT.COM") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="ntldr") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="MSDOS.SYS") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="IO.SYS") returned 1 [0103.593] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="boot.ini") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="AUTOEXEC.BAT") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="ntuser.dat") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="desktop.ini") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="CONFIG.SYS") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="RECYCLER") returned -1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="BOOTSECT.BAK") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="bootmgr") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="programdata") returned -1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="appdata") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="program files") returned -1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="program files (x86)") returned -1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="microsoft") returned 1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="sophos") returned -1 [0103.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0103.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.594] PathFindExtensionW (pszPath="ojukZoQqW9uFnXdh.avi") returned=".avi" [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0103.594] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0103.594] lstrcmpiW (lpString1="ojukZoQqW9uFnXdh.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0103.594] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ojukZoQqW9uFnXdh.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ojukzoqqw9ufnxdh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.595] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=38034) returned 1 [0103.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.595] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.595] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.595] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.597] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.598] GetTickCount () returned 0x115b0ce [0103.598] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0103.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0103.598] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9492, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.598] SetLastError (dwErrCode=0x0) [0103.598] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.599] GetLastError () returned 0x0 [0103.599] GetLastError () returned 0x0 [0103.599] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9592, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.599] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.599] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9692, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.599] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38bd709b, dwHighDateTime=0x1d5f971)) [0103.599] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.599] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.599] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.599] GetProcessHeap () returned 0xbc0000 [0103.599] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9492) returned 0xbf2638 [0103.599] GetSystemDefaultLangID () returned 0xbd0409 [0103.599] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.599] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x9492, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x9492, lpOverlapped=0x0) returned 1 [0103.601] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.601] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x9492, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x9492, lpOverlapped=0x0) returned 1 [0103.602] GetProcessHeap () returned 0xbc0000 [0103.602] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.602] CloseHandle (hObject=0x270) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.602] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0103.602] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ojukZoQqW9uFnXdh.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ojukzoqqw9ufnxdh.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ojukZoQqW9uFnXdh.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\ojukzoqqw9ufnxdh.avi.nefilim")) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.602] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.602] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91262800, ftCreationTime.dwHighDateTime=0x1d5e30b, ftLastAccessTime.dwLowDateTime=0xf09bb870, ftLastAccessTime.dwHighDateTime=0x1d5e2db, ftLastWriteTime.dwLowDateTime=0xf09bb870, ftLastWriteTime.dwHighDateTime=0x1d5e2db, nFileSizeHigh=0x0, nFileSizeLow=0x869c, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="pg-N.m4a", cAlternateFileName="")) returned 1 [0103.602] lstrcmpiW (lpString1="pg-N.m4a", lpString2=".") returned 1 [0103.602] lstrcmpiW (lpString1="pg-N.m4a", lpString2="..") returned 1 [0103.602] lstrcmpiW (lpString1="pg-N.m4a", lpString2="...") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="windows") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="$RECYCLE.BIN") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="rsa") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="NTDETECT.COM") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="ntldr") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="MSDOS.SYS") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="IO.SYS") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="boot.ini") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="ntuser.dat") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="desktop.ini") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="CONFIG.SYS") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="RECYCLER") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="BOOTSECT.BAK") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="bootmgr") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="programdata") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="appdata") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="program files") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="program files (x86)") returned -1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="microsoft") returned 1 [0103.603] lstrcmpiW (lpString1="pg-N.m4a", lpString2="sophos") returned -1 [0103.603] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.603] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0103.603] PathFindExtensionW (pszPath="pg-N.m4a") returned=".m4a" [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0103.603] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0103.604] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0103.604] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0103.604] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0103.604] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0103.604] lstrcmpiW (lpString1="pg-N.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0103.604] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\pg-N.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\pg-n.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.604] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=34460) returned 1 [0103.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.604] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.604] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.604] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.604] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.604] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.605] GetTickCount () returned 0x115b0ce [0103.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0103.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0103.605] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x869c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.605] SetLastError (dwErrCode=0x0) [0103.605] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.605] GetLastError () returned 0x0 [0103.605] GetLastError () returned 0x0 [0103.605] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x879c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.606] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.606] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x889c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.606] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38bd709b, dwHighDateTime=0x1d5f971)) [0103.606] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.606] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.606] GetProcessHeap () returned 0xbc0000 [0103.606] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x869c) returned 0xbf2638 [0103.606] GetSystemDefaultLangID () returned 0xbd0409 [0103.606] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.606] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x869c, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x869c, lpOverlapped=0x0) returned 1 [0103.608] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.608] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x869c, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x869c, lpOverlapped=0x0) returned 1 [0103.608] GetProcessHeap () returned 0xbc0000 [0103.608] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.608] CloseHandle (hObject=0x270) returned 1 [0103.608] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.608] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.608] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.608] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.609] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\pg-N.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\pg-n.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\pg-N.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\pg-n.m4a.nefilim")) returned 1 [0103.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.609] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf301a0, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0x1f8e1e10, ftLastAccessTime.dwHighDateTime=0x1d5e738, ftLastWriteTime.dwLowDateTime=0x1f8e1e10, ftLastWriteTime.dwHighDateTime=0x1d5e738, nFileSizeHigh=0x0, nFileSizeLow=0x8424, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="QilJpdvKo.png", cAlternateFileName="QILJPD~1.PNG")) returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2=".") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="..") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="...") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="windows") returned -1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="$RECYCLE.BIN") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="rsa") returned -1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="NTDETECT.COM") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="ntldr") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="MSDOS.SYS") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="IO.SYS") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="boot.ini") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="AUTOEXEC.BAT") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="ntuser.dat") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="desktop.ini") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="CONFIG.SYS") returned 1 [0103.609] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="RECYCLER") returned -1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="BOOTSECT.BAK") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="bootmgr") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="programdata") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="appdata") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="program files") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="program files (x86)") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="microsoft") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="sophos") returned -1 [0103.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0103.610] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.610] PathFindExtensionW (pszPath="QilJpdvKo.png") returned=".png" [0103.610] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0103.610] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0103.610] lstrcmpiW (lpString1="QilJpdvKo.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.610] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\QilJpdvKo.png" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qiljpdvko.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.610] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=33828) returned 1 [0103.610] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0103.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.611] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0103.611] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0103.611] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.611] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.611] GetTickCount () returned 0x115b0de [0103.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0103.611] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0103.611] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8424, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.611] SetLastError (dwErrCode=0x0) [0103.611] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.612] GetLastError () returned 0x0 [0103.612] GetLastError () returned 0x0 [0103.612] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8524, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.612] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.612] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8624, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.612] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38bfd295, dwHighDateTime=0x1d5f971)) [0103.612] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.612] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.612] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.612] GetProcessHeap () returned 0xbc0000 [0103.612] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8424) returned 0xbf2638 [0103.612] GetSystemDefaultLangID () returned 0xbd0409 [0103.612] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.613] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x8424, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x8424, lpOverlapped=0x0) returned 1 [0103.616] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.616] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x8424, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x8424, lpOverlapped=0x0) returned 1 [0103.616] GetProcessHeap () returned 0xbc0000 [0103.616] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.616] CloseHandle (hObject=0x270) returned 1 [0103.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0103.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0103.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.617] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\QilJpdvKo.png" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qiljpdvko.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\QilJpdvKo.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qiljpdvko.png.nefilim")) returned 1 [0103.617] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.617] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.617] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34f2f0, ftCreationTime.dwHighDateTime=0x1d5eae3, ftLastAccessTime.dwLowDateTime=0xa28afe50, ftLastAccessTime.dwHighDateTime=0x1d5e9b8, ftLastWriteTime.dwLowDateTime=0xa28afe50, ftLastWriteTime.dwHighDateTime=0x1d5e9b8, nFileSizeHigh=0x0, nFileSizeLow=0x8152, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="Qqc L1ACD.png", cAlternateFileName="QQCL1A~1.PNG")) returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2=".") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="..") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="...") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="windows") returned -1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="$RECYCLE.BIN") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="rsa") returned -1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="NTDETECT.COM") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="ntldr") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="MSDOS.SYS") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="IO.SYS") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="boot.ini") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="AUTOEXEC.BAT") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="ntuser.dat") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="desktop.ini") returned 1 [0103.617] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="CONFIG.SYS") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="RECYCLER") returned -1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="BOOTSECT.BAK") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="bootmgr") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="programdata") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="appdata") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="program files") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="program files (x86)") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="microsoft") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="sophos") returned -1 [0103.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.618] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.618] PathFindExtensionW (pszPath="Qqc L1ACD.png") returned=".png" [0103.618] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0103.618] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0103.618] lstrcmpiW (lpString1="Qqc L1ACD.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0103.618] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Qqc L1ACD.png" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qqc l1acd.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.618] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=33106) returned 1 [0103.619] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.619] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.619] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.619] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.619] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.619] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.619] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.620] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.621] GetTickCount () returned 0x115b0de [0103.621] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0103.621] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0103.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.621] SetLastError (dwErrCode=0x0) [0103.621] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.739] GetLastError () returned 0x0 [0103.739] GetLastError () returned 0x0 [0103.739] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.739] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.740] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x8352, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38d43a67, dwHighDateTime=0x1d5f971)) [0103.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.740] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.740] GetProcessHeap () returned 0xbc0000 [0103.740] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8152) returned 0xbf2638 [0103.740] GetSystemDefaultLangID () returned 0xbd0409 [0103.740] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.740] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x8152, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x8152, lpOverlapped=0x0) returned 1 [0103.742] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.742] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x8152, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x8152, lpOverlapped=0x0) returned 1 [0103.743] GetProcessHeap () returned 0xbc0000 [0103.743] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.743] CloseHandle (hObject=0x270) returned 1 [0103.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.743] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Qqc L1ACD.png" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qqc l1acd.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Qqc L1ACD.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\qqc l1acd.png.nefilim")) returned 1 [0103.744] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.744] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.744] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791cde0, ftCreationTime.dwHighDateTime=0x1d5f006, ftLastAccessTime.dwLowDateTime=0xbcf1acc0, ftLastAccessTime.dwHighDateTime=0x1d5ebe9, ftLastWriteTime.dwLowDateTime=0xbcf1acc0, ftLastWriteTime.dwHighDateTime=0x1d5ebe9, nFileSizeHigh=0x0, nFileSizeLow=0x13e66, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="RGWmL8P6mvuGgi.swf", cAlternateFileName="RGWML8~1.SWF")) returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2=".") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="..") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="...") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="windows") returned -1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="$RECYCLE.BIN") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="rsa") returned -1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="NTDETECT.COM") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="ntldr") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="MSDOS.SYS") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="IO.SYS") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="boot.ini") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="AUTOEXEC.BAT") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="ntuser.dat") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="desktop.ini") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="CONFIG.SYS") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="RECYCLER") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="BOOTSECT.BAK") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="bootmgr") returned 1 [0103.744] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="programdata") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="appdata") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="program files") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="program files (x86)") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="microsoft") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="sophos") returned -1 [0103.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0103.745] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.745] PathFindExtensionW (pszPath="RGWmL8P6mvuGgi.swf") returned=".swf" [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0103.745] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0103.745] lstrcmpiW (lpString1="RGWmL8P6mvuGgi.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.745] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.746] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\RGWmL8P6mvuGgi.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\rgwml8p6mvuggi.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.746] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=81510) returned 1 [0103.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.746] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.746] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0103.746] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.746] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.747] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.748] GetTickCount () returned 0x115b16a [0103.748] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0103.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0103.748] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13e66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.748] SetLastError (dwErrCode=0x0) [0103.748] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.749] GetLastError () returned 0x0 [0103.749] GetLastError () returned 0x0 [0103.749] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13f66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.749] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.750] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14066, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.750] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38d5c0d5, dwHighDateTime=0x1d5f971)) [0103.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0103.750] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0103.750] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.750] GetProcessHeap () returned 0xbc0000 [0103.750] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13e66) returned 0xbf2638 [0103.751] GetSystemDefaultLangID () returned 0xbd0409 [0103.751] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.752] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13e66, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13e66, lpOverlapped=0x0) returned 1 [0103.757] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.758] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13e66, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13e66, lpOverlapped=0x0) returned 1 [0103.758] GetProcessHeap () returned 0xbc0000 [0103.758] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.758] CloseHandle (hObject=0x270) returned 1 [0103.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0103.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.761] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0103.762] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\RGWmL8P6mvuGgi.swf" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\rgwml8p6mvuggi.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\RGWmL8P6mvuGgi.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\rgwml8p6mvuggi.swf.nefilim")) returned 1 [0103.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0103.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.762] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a22ba0, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0x994a6990, ftLastAccessTime.dwHighDateTime=0x1d5edb2, ftLastWriteTime.dwLowDateTime=0x994a6990, ftLastWriteTime.dwHighDateTime=0x1d5edb2, nFileSizeHigh=0x0, nFileSizeLow=0xc83a, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="vFdLM7Utsv.doc", cAlternateFileName="VFDLM7~1.DOC")) returned 1 [0103.762] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2=".") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="..") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="...") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="windows") returned -1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="$RECYCLE.BIN") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="rsa") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="NTDETECT.COM") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="ntldr") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="MSDOS.SYS") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="IO.SYS") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="boot.ini") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="AUTOEXEC.BAT") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="ntuser.dat") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="desktop.ini") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="CONFIG.SYS") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="RECYCLER") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="BOOTSECT.BAK") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="bootmgr") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="programdata") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="appdata") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="program files") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="program files (x86)") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="microsoft") returned 1 [0103.763] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="sophos") returned 1 [0103.763] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0103.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.763] PathFindExtensionW (pszPath="vFdLM7Utsv.doc") returned=".doc" [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0103.763] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".NEFILIM") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0103.764] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0103.764] lstrcmpiW (lpString1="vFdLM7Utsv.doc", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0103.764] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\vFdLM7Utsv.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\vfdlm7utsv.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.764] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=51258) returned 1 [0103.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.764] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.764] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0103.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0103.764] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.766] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.767] GetTickCount () returned 0x115b189 [0103.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0103.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0103.767] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc83a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.767] SetLastError (dwErrCode=0x0) [0103.767] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.768] GetLastError () returned 0x0 [0103.768] GetLastError () returned 0x0 [0103.768] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xc93a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.768] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.768] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xca3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.768] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38d80fbc, dwHighDateTime=0x1d5f971)) [0103.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0103.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0103.768] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.768] GetProcessHeap () returned 0xbc0000 [0103.768] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xc83a) returned 0xbf2638 [0103.768] GetSystemDefaultLangID () returned 0xbd0409 [0103.768] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.768] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xc83a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xc83a, lpOverlapped=0x0) returned 1 [0103.771] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.771] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xc83a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xc83a, lpOverlapped=0x0) returned 1 [0103.771] GetProcessHeap () returned 0xbc0000 [0103.771] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.772] CloseHandle (hObject=0x270) returned 1 [0103.772] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0103.772] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0103.772] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.772] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.772] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.772] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\vFdLM7Utsv.doc" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\vfdlm7utsv.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\vFdLM7Utsv.doc.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\vfdlm7utsv.doc.nefilim")) returned 1 [0103.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.773] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25916030, ftCreationTime.dwHighDateTime=0x1d5ec54, ftLastAccessTime.dwLowDateTime=0xdbc6100, ftLastAccessTime.dwHighDateTime=0x1d5e18f, ftLastWriteTime.dwLowDateTime=0xdbc6100, ftLastWriteTime.dwHighDateTime=0x1d5e18f, nFileSizeHigh=0x0, nFileSizeLow=0x4f3b, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="Zc14 xa1riSQm2.avi", cAlternateFileName="ZC14XA~1.AVI")) returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2=".") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="..") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="...") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="windows") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="$RECYCLE.BIN") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="rsa") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="NTDETECT.COM") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="ntldr") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="MSDOS.SYS") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="IO.SYS") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="boot.ini") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="AUTOEXEC.BAT") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="ntuser.dat") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="desktop.ini") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="CONFIG.SYS") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="RECYCLER") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="BOOTSECT.BAK") returned 1 [0103.773] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="bootmgr") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="programdata") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="appdata") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="program files") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="program files (x86)") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="microsoft") returned 1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="sophos") returned 1 [0103.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0103.774] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.774] PathFindExtensionW (pszPath="Zc14 xa1riSQm2.avi") returned=".avi" [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0103.774] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0103.774] lstrcmpiW (lpString1="Zc14 xa1riSQm2.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0103.774] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Zc14 xa1riSQm2.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zc14 xa1risqm2.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.774] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=20283) returned 1 [0103.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.775] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.775] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.775] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.776] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.776] GetTickCount () returned 0x115b189 [0103.776] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0103.776] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0103.776] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4f3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.776] SetLastError (dwErrCode=0x0) [0103.776] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.777] GetLastError () returned 0x0 [0103.777] GetLastError () returned 0x0 [0103.777] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x503b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.777] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.777] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x513b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.777] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38d80fbc, dwHighDateTime=0x1d5f971)) [0103.777] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0103.777] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0103.777] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.777] GetProcessHeap () returned 0xbc0000 [0103.777] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4f3b) returned 0xbf2638 [0103.778] GetSystemDefaultLangID () returned 0xbd0409 [0103.778] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.778] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4f3b, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4f3b, lpOverlapped=0x0) returned 1 [0103.779] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.779] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4f3b, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4f3b, lpOverlapped=0x0) returned 1 [0103.779] GetProcessHeap () returned 0xbc0000 [0103.779] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.779] CloseHandle (hObject=0x270) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.779] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0103.779] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Zc14 xa1riSQm2.avi" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zc14 xa1risqm2.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\Zc14 xa1riSQm2.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zc14 xa1risqm2.avi.nefilim")) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0103.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.780] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7f59370, ftCreationTime.dwHighDateTime=0x1d5e4cf, ftLastAccessTime.dwLowDateTime=0xda0f0580, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0xda0f0580, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x3c68, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="ZUOa4nJPUKoue1JJDV0Y.jpg", cAlternateFileName="ZUOA4N~1.JPG")) returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2=".") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="..") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="...") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="windows") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="$RECYCLE.BIN") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="rsa") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="NTDETECT.COM") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="ntldr") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="MSDOS.SYS") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="IO.SYS") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="boot.ini") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="ntuser.dat") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="desktop.ini") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="CONFIG.SYS") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="RECYCLER") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="BOOTSECT.BAK") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="bootmgr") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="programdata") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="appdata") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="program files") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="program files (x86)") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="microsoft") returned 1 [0103.780] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="sophos") returned 1 [0103.828] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0103.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0103.829] PathFindExtensionW (pszPath="ZUOa4nJPUKoue1JJDV0Y.jpg") returned=".jpg" [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0103.829] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0103.829] lstrcmpiW (lpString1="ZUOa4nJPUKoue1JJDV0Y.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0103.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0103.829] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ZUOa4nJPUKoue1JJDV0Y.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zuoa4njpukoue1jjdv0y.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0103.829] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=15464) returned 1 [0103.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.829] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.829] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.830] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be798*=0x100) returned 1 [0103.830] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0103.830] GetTickCount () returned 0x115b1c8 [0103.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0103.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0103.830] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3c68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.830] SetLastError (dwErrCode=0x0) [0103.830] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.831] GetLastError () returned 0x0 [0103.831] GetLastError () returned 0x0 [0103.831] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3d68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.831] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0103.831] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x38e19bca, dwHighDateTime=0x1d5f971)) [0103.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.831] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.831] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0103.831] GetProcessHeap () returned 0xbc0000 [0103.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3c68) returned 0xbf2638 [0103.832] GetSystemDefaultLangID () returned 0xbd0409 [0103.832] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.832] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3c68, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3c68, lpOverlapped=0x0) returned 1 [0103.832] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.832] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3c68, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3c68, lpOverlapped=0x0) returned 1 [0103.832] GetProcessHeap () returned 0xbc0000 [0103.833] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0103.833] CloseHandle (hObject=0x270) returned 1 [0103.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0103.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0103.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268be28 [0103.834] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ZUOa4nJPUKoue1JJDV0Y.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zuoa4njpukoue1jjdv0y.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\ZUOa4nJPUKoue1JJDV0Y.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iprzsihtaueym-d\\zuoa4njpukoue1jjdv0y.jpg.nefilim")) returned 1 [0103.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0103.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0103.834] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7f59370, ftCreationTime.dwHighDateTime=0x1d5e4cf, ftLastAccessTime.dwLowDateTime=0xda0f0580, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0xda0f0580, ftLastWriteTime.dwHighDateTime=0x1d5e0ce, nFileSizeHigh=0x0, nFileSizeLow=0x3c68, dwReserved0=0x2680508, dwReserved1=0x15000015, cFileName="ZUOa4nJPUKoue1JJDV0Y.jpg", cAlternateFileName="ZUOA4N~1.JPG")) returned 0 [0103.834] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0103.835] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0103.835] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.835] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.835] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce241090, ftCreationTime.dwHighDateTime=0x1d5e370, ftLastAccessTime.dwLowDateTime=0x1d45f2e0, ftLastAccessTime.dwHighDateTime=0x1d5e995, ftLastWriteTime.dwLowDateTime=0x1d45f2e0, ftLastWriteTime.dwHighDateTime=0x1d5e995, nFileSizeHigh=0x0, nFileSizeLow=0xec7a, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="IY 9uezyn_XgTjW1YOa.flv", cAlternateFileName="IY9UEZ~1.FLV")) returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2=".") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="..") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="...") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="windows") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="$RECYCLE.BIN") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="rsa") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="NTDETECT.COM") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="ntldr") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="MSDOS.SYS") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="IO.SYS") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="boot.ini") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="AUTOEXEC.BAT") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="ntuser.dat") returned -1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="desktop.ini") returned 1 [0103.835] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="CONFIG.SYS") returned 1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="RECYCLER") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="BOOTSECT.BAK") returned 1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="bootmgr") returned 1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="programdata") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="appdata") returned 1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="program files") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="program files (x86)") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="microsoft") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="sophos") returned -1 [0103.836] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.836] PathFindExtensionW (pszPath="IY 9uezyn_XgTjW1YOa.flv") returned=".flv" [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0103.836] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0103.836] lstrcmpiW (lpString1="IY 9uezyn_XgTjW1YOa.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.836] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.836] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\IY 9uezyn_XgTjW1YOa.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\iy 9uezyn_xgtjw1yoa.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.836] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=60538) returned 1 [0103.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.837] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.837] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0103.837] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.837] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.837] GetTickCount () returned 0x115b1c8 [0103.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0103.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0103.837] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xec7a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.837] SetLastError (dwErrCode=0x0) [0103.838] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.838] GetLastError () returned 0x0 [0103.838] GetLastError () returned 0x0 [0103.838] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xed7a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.838] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.838] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xee7a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.838] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38e19bca, dwHighDateTime=0x1d5f971)) [0103.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.839] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.839] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.839] GetProcessHeap () returned 0xbc0000 [0103.839] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xec7a) returned 0xbf1630 [0103.839] GetSystemDefaultLangID () returned 0xbd0409 [0103.839] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.839] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xec7a, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xec7a, lpOverlapped=0x0) returned 1 [0103.842] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.842] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xec7a, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xec7a, lpOverlapped=0x0) returned 1 [0103.842] GetProcessHeap () returned 0xbc0000 [0103.842] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.844] CloseHandle (hObject=0x26c) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.844] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\IY 9uezyn_XgTjW1YOa.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\iy 9uezyn_xgtjw1yoa.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\IY 9uezyn_XgTjW1YOa.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\iy 9uezyn_xgtjw1yoa.flv.nefilim")) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.844] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239a52c0, ftCreationTime.dwHighDateTime=0x1d5e6d0, ftLastAccessTime.dwLowDateTime=0xca154f40, ftLastAccessTime.dwHighDateTime=0x1d5e2e5, ftLastWriteTime.dwLowDateTime=0xca154f40, ftLastWriteTime.dwHighDateTime=0x1d5e2e5, nFileSizeHigh=0x0, nFileSizeLow=0x165c5, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Je6LYK 6Lx.wav", cAlternateFileName="JE6LYK~1.WAV")) returned 1 [0103.845] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2=".") returned 1 [0103.845] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="..") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="...") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="windows") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="$RECYCLE.BIN") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="rsa") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="NTDETECT.COM") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="ntldr") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="MSDOS.SYS") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="IO.SYS") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="boot.ini") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="AUTOEXEC.BAT") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="ntuser.dat") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="desktop.ini") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="CONFIG.SYS") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="RECYCLER") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="BOOTSECT.BAK") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="bootmgr") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="programdata") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="appdata") returned 1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="program files") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="program files (x86)") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="microsoft") returned -1 [0103.846] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="sophos") returned -1 [0103.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0103.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.846] PathFindExtensionW (pszPath="Je6LYK 6Lx.wav") returned=".wav" [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0103.846] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0103.847] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0103.847] lstrcmpiW (lpString1="Je6LYK 6Lx.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0103.847] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Je6LYK 6Lx.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\je6lyk 6lx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.847] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=91589) returned 1 [0103.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.847] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.847] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0103.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.847] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.849] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.850] GetTickCount () returned 0x115b1d8 [0103.850] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0103.850] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0103.850] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x165c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.850] SetLastError (dwErrCode=0x0) [0103.850] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.851] GetLastError () returned 0x0 [0103.851] GetLastError () returned 0x0 [0103.851] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x166c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.851] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.851] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x167c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.851] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38e3fea2, dwHighDateTime=0x1d5f971)) [0103.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0103.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0103.851] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.851] GetProcessHeap () returned 0xbc0000 [0103.851] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x165c5) returned 0xbf1630 [0103.852] GetSystemDefaultLangID () returned 0xbd0409 [0103.852] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.852] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x165c5, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x165c5, lpOverlapped=0x0) returned 1 [0103.857] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.857] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x165c5, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x165c5, lpOverlapped=0x0) returned 1 [0103.857] GetProcessHeap () returned 0xbc0000 [0103.857] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.857] CloseHandle (hObject=0x26c) returned 1 [0103.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0103.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.857] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.857] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Je6LYK 6Lx.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\je6lyk 6lx.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Je6LYK 6Lx.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\je6lyk 6lx.wav.nefilim")) returned 1 [0103.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.858] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aa378f0, ftCreationTime.dwHighDateTime=0x1d5e915, ftLastAccessTime.dwLowDateTime=0xb4ff77b0, ftLastAccessTime.dwHighDateTime=0x1d5efe8, ftLastWriteTime.dwLowDateTime=0xb4ff77b0, ftLastWriteTime.dwHighDateTime=0x1d5efe8, nFileSizeHigh=0x0, nFileSizeLow=0x100ca, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="jK3UiqMdVNzsBsO_I.m4a", cAlternateFileName="JK3UIQ~1.M4A")) returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2=".") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="..") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="...") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="windows") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="$RECYCLE.BIN") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="rsa") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="NTDETECT.COM") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="ntldr") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="MSDOS.SYS") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="IO.SYS") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="boot.ini") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="ntuser.dat") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="desktop.ini") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="CONFIG.SYS") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="RECYCLER") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="BOOTSECT.BAK") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="bootmgr") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="programdata") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="appdata") returned 1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="program files") returned -1 [0103.858] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="program files (x86)") returned -1 [0103.859] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="microsoft") returned -1 [0103.859] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="sophos") returned -1 [0103.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.859] PathFindExtensionW (pszPath="jK3UiqMdVNzsBsO_I.m4a") returned=".m4a" [0103.859] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0103.859] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0103.859] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0103.859] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0103.859] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0103.860] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0103.860] lstrcmpiW (lpString1="jK3UiqMdVNzsBsO_I.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.860] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\jK3UiqMdVNzsBsO_I.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\jk3uiqmdvnzsbso_i.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.860] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=65738) returned 1 [0103.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.860] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.860] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.860] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.860] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.861] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.863] GetTickCount () returned 0x115b1e7 [0103.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0103.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0103.863] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x100ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.863] SetLastError (dwErrCode=0x0) [0103.863] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.863] GetLastError () returned 0x0 [0103.864] GetLastError () returned 0x0 [0103.864] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x101ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.864] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.864] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x102ca, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.864] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38e66dc7, dwHighDateTime=0x1d5f971)) [0103.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.864] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.864] GetProcessHeap () returned 0xbc0000 [0103.864] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x100ca) returned 0xbf1630 [0103.864] GetSystemDefaultLangID () returned 0xbd0409 [0103.864] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.864] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x100ca, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x100ca, lpOverlapped=0x0) returned 1 [0103.868] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.868] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x100ca, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x100ca, lpOverlapped=0x0) returned 1 [0103.868] GetProcessHeap () returned 0xbc0000 [0103.868] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.868] CloseHandle (hObject=0x26c) returned 1 [0103.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.868] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\jK3UiqMdVNzsBsO_I.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\jk3uiqmdvnzsbso_i.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\jK3UiqMdVNzsBsO_I.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\jk3uiqmdvnzsbso_i.m4a.nefilim")) returned 1 [0103.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.869] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36d09d00, ftCreationTime.dwHighDateTime=0x1d5f057, ftLastAccessTime.dwLowDateTime=0xbb0e5d00, ftLastAccessTime.dwHighDateTime=0x1d5ecc9, ftLastWriteTime.dwLowDateTime=0xbb0e5d00, ftLastWriteTime.dwHighDateTime=0x1d5ecc9, nFileSizeHigh=0x0, nFileSizeLow=0x2bcd, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="kDS-nb1BSH.png", cAlternateFileName="KDS-NB~1.PNG")) returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2=".") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="..") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="...") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="windows") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="$RECYCLE.BIN") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="rsa") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="NTDETECT.COM") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="ntldr") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="MSDOS.SYS") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="IO.SYS") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="boot.ini") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="AUTOEXEC.BAT") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="ntuser.dat") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="desktop.ini") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="CONFIG.SYS") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="RECYCLER") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="BOOTSECT.BAK") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="bootmgr") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="programdata") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="appdata") returned 1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="program files") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="program files (x86)") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="microsoft") returned -1 [0103.869] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="sophos") returned -1 [0103.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0103.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.869] PathFindExtensionW (pszPath="kDS-nb1BSH.png") returned=".png" [0103.869] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0103.869] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0103.869] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0103.869] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0103.870] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0103.870] lstrcmpiW (lpString1="kDS-nb1BSH.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0103.870] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\kDS-nb1BSH.png" (normalized: "c:\\users\\fd1hvy\\desktop\\kds-nb1bsh.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.870] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=11213) returned 1 [0103.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.870] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.870] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.870] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.871] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.871] GetTickCount () returned 0x115b1e7 [0103.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0103.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0103.871] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2bcd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.871] SetLastError (dwErrCode=0x0) [0103.871] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.872] GetLastError () returned 0x0 [0103.872] GetLastError () returned 0x0 [0103.872] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2ccd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.872] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.872] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2dcd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.872] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38e66dc7, dwHighDateTime=0x1d5f971)) [0103.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0103.872] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0103.872] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.872] GetProcessHeap () returned 0xbc0000 [0103.872] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2bcd) returned 0xbf1630 [0103.872] GetSystemDefaultLangID () returned 0xbd0409 [0103.872] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.872] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x2bcd, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x2bcd, lpOverlapped=0x0) returned 1 [0103.873] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.873] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x2bcd, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x2bcd, lpOverlapped=0x0) returned 1 [0103.873] GetProcessHeap () returned 0xbc0000 [0103.873] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.873] CloseHandle (hObject=0x26c) returned 1 [0103.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.873] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\kDS-nb1BSH.png" (normalized: "c:\\users\\fd1hvy\\desktop\\kds-nb1bsh.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\kDS-nb1BSH.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\kds-nb1bsh.png.nefilim")) returned 1 [0103.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.874] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4d02950, ftCreationTime.dwHighDateTime=0x1d5e45a, ftLastAccessTime.dwLowDateTime=0x9e9488d0, ftLastAccessTime.dwHighDateTime=0x1d5e570, ftLastWriteTime.dwLowDateTime=0x9e9488d0, ftLastWriteTime.dwHighDateTime=0x1d5e570, nFileSizeHigh=0x0, nFileSizeLow=0x7cbe, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="KHYINgV3G7QU.pptx", cAlternateFileName="KHYING~1.PPT")) returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2=".") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="..") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="...") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="windows") returned -1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="$RECYCLE.BIN") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="rsa") returned -1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="NTDETECT.COM") returned -1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="ntldr") returned -1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="MSDOS.SYS") returned -1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="IO.SYS") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="boot.ini") returned 1 [0103.874] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="ntuser.dat") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="desktop.ini") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="CONFIG.SYS") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="RECYCLER") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="BOOTSECT.BAK") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="bootmgr") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="programdata") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="appdata") returned 1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="program files") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="program files (x86)") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="microsoft") returned -1 [0103.926] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="sophos") returned -1 [0103.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.926] PathFindExtensionW (pszPath="KHYINgV3G7QU.pptx") returned=".pptx" [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0103.926] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0103.927] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0103.927] lstrcmpiW (lpString1="KHYINgV3G7QU.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.927] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KHYINgV3G7QU.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\khyingv3g7qu.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.927] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=31934) returned 1 [0103.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.927] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.927] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0103.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0103.927] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.928] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.928] GetTickCount () returned 0x115b226 [0103.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0103.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0103.928] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7cbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.928] SetLastError (dwErrCode=0x0) [0103.928] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.929] GetLastError () returned 0x0 [0103.929] GetLastError () returned 0x0 [0103.929] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7dbe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.929] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.929] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7ebe, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.929] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38efea3d, dwHighDateTime=0x1d5f971)) [0103.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.929] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.929] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.929] GetProcessHeap () returned 0xbc0000 [0103.929] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7cbe) returned 0xbf1630 [0103.929] GetSystemDefaultLangID () returned 0xbd0409 [0103.929] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.929] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x7cbe, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x7cbe, lpOverlapped=0x0) returned 1 [0103.931] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.931] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x7cbe, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x7cbe, lpOverlapped=0x0) returned 1 [0103.931] GetProcessHeap () returned 0xbc0000 [0103.931] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.931] CloseHandle (hObject=0x26c) returned 1 [0103.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0103.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0103.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.931] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\KHYINgV3G7QU.pptx" (normalized: "c:\\users\\fd1hvy\\desktop\\khyingv3g7qu.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\KHYINgV3G7QU.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\khyingv3g7qu.pptx.nefilim")) returned 1 [0103.932] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.932] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.932] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c3899d0, ftCreationTime.dwHighDateTime=0x1d5e52f, ftLastAccessTime.dwLowDateTime=0xfe631650, ftLastAccessTime.dwHighDateTime=0x1d5e980, ftLastWriteTime.dwLowDateTime=0xfe631650, ftLastWriteTime.dwHighDateTime=0x1d5e980, nFileSizeHigh=0x0, nFileSizeLow=0x17d59, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="ks3Rocg.xls", cAlternateFileName="")) returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2=".") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="..") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="...") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="windows") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="$RECYCLE.BIN") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="rsa") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="NTDETECT.COM") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="ntldr") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="MSDOS.SYS") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="IO.SYS") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="boot.ini") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="AUTOEXEC.BAT") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="ntuser.dat") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="desktop.ini") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="CONFIG.SYS") returned 1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="RECYCLER") returned -1 [0103.932] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="BOOTSECT.BAK") returned 1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="bootmgr") returned 1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="programdata") returned -1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="appdata") returned 1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="program files") returned -1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="program files (x86)") returned -1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="microsoft") returned -1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="sophos") returned -1 [0103.933] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0103.933] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.933] PathFindExtensionW (pszPath="ks3Rocg.xls") returned=".xls" [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0103.933] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0103.933] lstrcmpiW (lpString1="ks3Rocg.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.933] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0103.933] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\ks3Rocg.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\ks3rocg.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.933] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=97625) returned 1 [0103.933] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.934] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.934] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0103.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.934] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.934] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.935] GetTickCount () returned 0x115b226 [0103.935] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0103.935] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0103.935] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x17d59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.935] SetLastError (dwErrCode=0x0) [0103.935] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.936] GetLastError () returned 0x0 [0103.936] GetLastError () returned 0x0 [0103.936] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x17e59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.936] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.936] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x17f59, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.936] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38efea3d, dwHighDateTime=0x1d5f971)) [0103.936] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0103.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0103.936] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.936] GetProcessHeap () returned 0xbc0000 [0103.936] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x17d59) returned 0xbf1630 [0103.937] GetSystemDefaultLangID () returned 0xbd0409 [0103.937] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.937] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x17d59, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x17d59, lpOverlapped=0x0) returned 1 [0103.943] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.943] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x17d59, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x17d59, lpOverlapped=0x0) returned 1 [0103.944] GetProcessHeap () returned 0xbc0000 [0103.944] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.944] CloseHandle (hObject=0x26c) returned 1 [0103.944] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0103.944] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.944] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.945] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\ks3Rocg.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\ks3rocg.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\ks3Rocg.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\ks3rocg.xls.nefilim")) returned 1 [0103.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.945] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81765f00, ftCreationTime.dwHighDateTime=0x1d5e451, ftLastAccessTime.dwLowDateTime=0xe6a666f0, ftLastAccessTime.dwHighDateTime=0x1d5e496, ftLastWriteTime.dwLowDateTime=0xe6a666f0, ftLastWriteTime.dwHighDateTime=0x1d5e496, nFileSizeHigh=0x0, nFileSizeLow=0x93b1, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="KSwkaBInUOxgrhJbAt.wav", cAlternateFileName="KSWKAB~1.WAV")) returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2=".") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="..") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="...") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="windows") returned -1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="$RECYCLE.BIN") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="rsa") returned -1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="NTDETECT.COM") returned -1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="ntldr") returned -1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="MSDOS.SYS") returned -1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="IO.SYS") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="boot.ini") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="AUTOEXEC.BAT") returned 1 [0103.945] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="ntuser.dat") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="desktop.ini") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="CONFIG.SYS") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="RECYCLER") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="BOOTSECT.BAK") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="bootmgr") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="programdata") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="appdata") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="program files") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="program files (x86)") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="microsoft") returned -1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="sophos") returned -1 [0103.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.946] PathFindExtensionW (pszPath="KSwkaBInUOxgrhJbAt.wav") returned=".wav" [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0103.946] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0103.946] lstrcmpiW (lpString1="KSwkaBInUOxgrhJbAt.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.946] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\KSwkaBInUOxgrhJbAt.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\kswkabinuoxgrhjbat.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.947] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=37809) returned 1 [0103.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.947] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.947] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0103.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.947] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.947] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.947] GetTickCount () returned 0x115b235 [0103.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0103.947] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0103.947] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x93b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.947] SetLastError (dwErrCode=0x0) [0103.947] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.948] GetLastError () returned 0x0 [0103.948] GetLastError () returned 0x0 [0103.948] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x94b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.948] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.948] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x95b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.948] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38f24cbb, dwHighDateTime=0x1d5f971)) [0103.948] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.949] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.949] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.949] GetProcessHeap () returned 0xbc0000 [0103.949] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x93b1) returned 0xbf1630 [0103.949] GetSystemDefaultLangID () returned 0xbd0409 [0103.949] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.949] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x93b1, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x93b1, lpOverlapped=0x0) returned 1 [0103.951] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.951] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x93b1, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x93b1, lpOverlapped=0x0) returned 1 [0103.951] GetProcessHeap () returned 0xbc0000 [0103.951] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.952] CloseHandle (hObject=0x26c) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0103.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.953] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\KSwkaBInUOxgrhJbAt.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\kswkabinuoxgrhjbat.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\KSwkaBInUOxgrhJbAt.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\kswkabinuoxgrhjbat.wav.nefilim")) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.953] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.953] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2910d0, ftCreationTime.dwHighDateTime=0x1d5e3a3, ftLastAccessTime.dwLowDateTime=0x2e50bd20, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x2e50bd20, ftLastWriteTime.dwHighDateTime=0x1d5f054, nFileSizeHigh=0x0, nFileSizeLow=0xa225, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Mx3wLhRE1ZvGkB8PB.gif", cAlternateFileName="MX3WLH~1.GIF")) returned 1 [0103.953] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2=".") returned 1 [0103.953] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="..") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="...") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="windows") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="$RECYCLE.BIN") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="rsa") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="NTDETECT.COM") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="ntldr") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="MSDOS.SYS") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="IO.SYS") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="boot.ini") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="AUTOEXEC.BAT") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="ntuser.dat") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="desktop.ini") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="CONFIG.SYS") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="RECYCLER") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="BOOTSECT.BAK") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="bootmgr") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="programdata") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="appdata") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="program files") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="program files (x86)") returned -1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="microsoft") returned 1 [0103.954] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="sophos") returned -1 [0103.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.954] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.954] PathFindExtensionW (pszPath="Mx3wLhRE1ZvGkB8PB.gif") returned=".gif" [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0103.954] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0103.955] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0103.955] lstrcmpiW (lpString1="Mx3wLhRE1ZvGkB8PB.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.955] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\Mx3wLhRE1ZvGkB8PB.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\mx3wlhre1zvgkb8pb.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.955] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=41509) returned 1 [0103.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0103.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0103.955] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0103.955] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0103.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0103.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0103.955] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.957] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.958] GetTickCount () returned 0x115b245 [0103.958] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0103.958] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0103.959] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa225, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.959] SetLastError (dwErrCode=0x0) [0103.959] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.959] GetLastError () returned 0x0 [0103.959] GetLastError () returned 0x0 [0103.959] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa325, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.959] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.960] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa425, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.960] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38f4af21, dwHighDateTime=0x1d5f971)) [0103.960] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.960] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.960] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.960] GetProcessHeap () returned 0xbc0000 [0103.960] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa225) returned 0xbf1630 [0103.960] GetSystemDefaultLangID () returned 0xbd0409 [0103.960] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.960] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xa225, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xa225, lpOverlapped=0x0) returned 1 [0103.962] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.962] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xa225, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xa225, lpOverlapped=0x0) returned 1 [0103.962] GetProcessHeap () returned 0xbc0000 [0103.962] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0103.962] CloseHandle (hObject=0x26c) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0103.963] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0103.963] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\Mx3wLhRE1ZvGkB8PB.gif" (normalized: "c:\\users\\fd1hvy\\desktop\\mx3wlhre1zvgkb8pb.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\Mx3wLhRE1ZvGkB8PB.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\mx3wlhre1zvgkb8pb.gif.nefilim")) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0103.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0103.963] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75f70730, ftCreationTime.dwHighDateTime=0x1d5ed14, ftLastAccessTime.dwLowDateTime=0xaf976410, ftLastAccessTime.dwHighDateTime=0x1d5eb90, ftLastWriteTime.dwLowDateTime=0xaf976410, ftLastWriteTime.dwHighDateTime=0x1d5eb90, nFileSizeHigh=0x0, nFileSizeLow=0x9054, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="n51_ DrMwvEIpS.m4a", cAlternateFileName="N51_DR~1.M4A")) returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2=".") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="..") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="...") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="windows") returned -1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="$RECYCLE.BIN") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="rsa") returned -1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="NTDETECT.COM") returned -1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="ntldr") returned -1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="MSDOS.SYS") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="IO.SYS") returned 1 [0103.963] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="boot.ini") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="ntuser.dat") returned -1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="desktop.ini") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="CONFIG.SYS") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="RECYCLER") returned -1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="BOOTSECT.BAK") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="bootmgr") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="programdata") returned -1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="appdata") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="program files") returned -1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="program files (x86)") returned -1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="microsoft") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="sophos") returned -1 [0103.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0103.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0103.964] PathFindExtensionW (pszPath="n51_ DrMwvEIpS.m4a") returned=".m4a" [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0103.964] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0103.964] lstrcmpiW (lpString1="n51_ DrMwvEIpS.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0103.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0103.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\n51_ DrMwvEIpS.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n51_ drmwveips.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0103.965] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=36948) returned 1 [0103.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0103.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0103.965] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0103.965] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0103.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0103.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0103.965] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0103.965] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0103.965] GetTickCount () returned 0x115b245 [0103.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0103.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0103.965] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9054, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.965] SetLastError (dwErrCode=0x0) [0103.965] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.966] GetLastError () returned 0x0 [0103.966] GetLastError () returned 0x0 [0103.966] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9154, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.966] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0103.966] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9254, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38f4af21, dwHighDateTime=0x1d5f971)) [0103.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0103.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0103.966] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0103.967] GetProcessHeap () returned 0xbc0000 [0103.967] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9054) returned 0xbf1630 [0103.967] GetSystemDefaultLangID () returned 0xbd0409 [0103.967] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0103.967] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x9054, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x9054, lpOverlapped=0x0) returned 1 [0104.017] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.017] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x9054, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x9054, lpOverlapped=0x0) returned 1 [0104.018] GetProcessHeap () returned 0xbc0000 [0104.018] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.018] CloseHandle (hObject=0x26c) returned 1 [0104.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.018] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0104.018] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\n51_ DrMwvEIpS.m4a" (normalized: "c:\\users\\fd1hvy\\desktop\\n51_ drmwveips.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\n51_ DrMwvEIpS.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\n51_ drmwveips.m4a.nefilim")) returned 1 [0104.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.019] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fd93f0, ftCreationTime.dwHighDateTime=0x1d5e28d, ftLastAccessTime.dwLowDateTime=0xe3e15720, ftLastAccessTime.dwHighDateTime=0x1d5ede4, ftLastWriteTime.dwLowDateTime=0xe3e15720, ftLastWriteTime.dwHighDateTime=0x1d5ede4, nFileSizeHigh=0x0, nFileSizeLow=0xbd79, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="O2-LElLBnR9u591jQksK.jpg", cAlternateFileName="O2-LEL~1.JPG")) returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2=".") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="..") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="...") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="windows") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="$RECYCLE.BIN") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="rsa") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="NTDETECT.COM") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="ntldr") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="MSDOS.SYS") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="IO.SYS") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="boot.ini") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="ntuser.dat") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="desktop.ini") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="CONFIG.SYS") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="RECYCLER") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="BOOTSECT.BAK") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="bootmgr") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="programdata") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="appdata") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="program files") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="program files (x86)") returned -1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="microsoft") returned 1 [0104.019] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="sophos") returned -1 [0104.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0104.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.019] PathFindExtensionW (pszPath="O2-LElLBnR9u591jQksK.jpg") returned=".jpg" [0104.019] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0104.020] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0104.020] lstrcmpiW (lpString1="O2-LElLBnR9u591jQksK.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0104.020] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\O2-LElLBnR9u591jQksK.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\o2-lellbnr9u591jqksk.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.020] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=48505) returned 1 [0104.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.020] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.020] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.020] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.021] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.022] GetTickCount () returned 0x115b283 [0104.022] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0104.022] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0104.022] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbd79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.022] SetLastError (dwErrCode=0x0) [0104.022] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.023] GetLastError () returned 0x0 [0104.023] GetLastError () returned 0x0 [0104.023] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbe79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.023] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.023] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xbf79, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.023] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x38fe37c7, dwHighDateTime=0x1d5f971)) [0104.023] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0104.023] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.023] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.023] GetProcessHeap () returned 0xbc0000 [0104.023] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xbd79) returned 0xbf1630 [0104.024] GetSystemDefaultLangID () returned 0xbd0409 [0104.024] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.024] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xbd79, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xbd79, lpOverlapped=0x0) returned 1 [0104.027] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.027] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xbd79, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xbd79, lpOverlapped=0x0) returned 1 [0104.027] GetProcessHeap () returned 0xbc0000 [0104.027] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.027] CloseHandle (hObject=0x26c) returned 1 [0104.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.027] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.027] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2680508 [0104.027] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\O2-LElLBnR9u591jQksK.jpg" (normalized: "c:\\users\\fd1hvy\\desktop\\o2-lellbnr9u591jqksk.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\O2-LElLBnR9u591jQksK.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\o2-lellbnr9u591jqksk.jpg.nefilim")) returned 1 [0104.028] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.028] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0104.028] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c36510, ftCreationTime.dwHighDateTime=0x1d5e7a3, ftLastAccessTime.dwLowDateTime=0xe559bc00, ftLastAccessTime.dwHighDateTime=0x1d5e5f1, ftLastWriteTime.dwLowDateTime=0xe559bc00, ftLastWriteTime.dwHighDateTime=0x1d5e5f1, nFileSizeHigh=0x0, nFileSizeLow=0x1673e, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="P5OFM7V.mp3", cAlternateFileName="")) returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2=".") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="..") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="...") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="windows") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="rsa") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="NTDETECT.COM") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="ntldr") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="MSDOS.SYS") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="IO.SYS") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="boot.ini") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="ntuser.dat") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="desktop.ini") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="CONFIG.SYS") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="RECYCLER") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="bootmgr") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="programdata") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="appdata") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="program files") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="program files (x86)") returned -1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="microsoft") returned 1 [0104.028] lstrcmpiW (lpString1="P5OFM7V.mp3", lpString2="sophos") returned -1 [0104.028] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0104.028] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.028] PathFindExtensionW (pszPath="P5OFM7V.mp3") returned=".mp3" [0104.028] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.028] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.029] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.029] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b201900, ftCreationTime.dwHighDateTime=0x1d5e4ef, ftLastAccessTime.dwLowDateTime=0x643c7390, ftLastAccessTime.dwHighDateTime=0x1d5ed69, ftLastWriteTime.dwLowDateTime=0x643c7390, ftLastWriteTime.dwHighDateTime=0x1d5ed69, nFileSizeHigh=0x0, nFileSizeLow=0x13ae6, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="SDgo9.xls", cAlternateFileName="")) returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2=".") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="..") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="...") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="windows") returned -1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="$RECYCLE.BIN") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="rsa") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="NTDETECT.COM") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="ntldr") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="MSDOS.SYS") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="IO.SYS") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="boot.ini") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="AUTOEXEC.BAT") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="ntuser.dat") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="desktop.ini") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="CONFIG.SYS") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="RECYCLER") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="BOOTSECT.BAK") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="bootmgr") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="programdata") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="appdata") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="program files") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="program files (x86)") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="microsoft") returned 1 [0104.029] lstrcmpiW (lpString1="SDgo9.xls", lpString2="sophos") returned -1 [0104.029] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0104.029] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.030] PathFindExtensionW (pszPath="SDgo9.xls") returned=".xls" [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0104.030] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0104.030] lstrcmpiW (lpString1="SDgo9.xls", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0104.030] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\SDgo9.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\sdgo9.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.030] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=80614) returned 1 [0104.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.030] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.030] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.030] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.031] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.031] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.031] GetTickCount () returned 0x115b293 [0104.031] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0104.031] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0104.031] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13ae6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.031] SetLastError (dwErrCode=0x0) [0104.031] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.032] GetLastError () returned 0x0 [0104.032] GetLastError () returned 0x0 [0104.032] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13be6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.032] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.032] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13ce6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.032] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39009db7, dwHighDateTime=0x1d5f971)) [0104.032] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0104.032] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0104.032] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.032] GetProcessHeap () returned 0xbc0000 [0104.032] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13ae6) returned 0xbf1630 [0104.032] GetSystemDefaultLangID () returned 0xbd0409 [0104.032] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.032] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x13ae6, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x13ae6, lpOverlapped=0x0) returned 1 [0104.037] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.037] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x13ae6, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x13ae6, lpOverlapped=0x0) returned 1 [0104.037] GetProcessHeap () returned 0xbc0000 [0104.037] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.037] CloseHandle (hObject=0x26c) returned 1 [0104.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.037] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.037] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.037] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\SDgo9.xls" (normalized: "c:\\users\\fd1hvy\\desktop\\sdgo9.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\SDgo9.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\sdgo9.xls.nefilim")) returned 1 [0104.038] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.038] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.038] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb37ca400, ftCreationTime.dwHighDateTime=0x1d5f0b3, ftLastAccessTime.dwLowDateTime=0x236ab2d0, ftLastAccessTime.dwHighDateTime=0x1d5e505, ftLastWriteTime.dwLowDateTime=0x236ab2d0, ftLastWriteTime.dwHighDateTime=0x1d5e505, nFileSizeHigh=0x0, nFileSizeLow=0x8994, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="sIT3gvh.mkv", cAlternateFileName="")) returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2=".") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="..") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="...") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="windows") returned -1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="$RECYCLE.BIN") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="rsa") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="NTDETECT.COM") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="ntldr") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="MSDOS.SYS") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="IO.SYS") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="boot.ini") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="ntuser.dat") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="desktop.ini") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="CONFIG.SYS") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="RECYCLER") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="BOOTSECT.BAK") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="bootmgr") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="programdata") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="appdata") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="program files") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="program files (x86)") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="microsoft") returned 1 [0104.038] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="sophos") returned -1 [0104.038] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0104.038] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.038] PathFindExtensionW (pszPath="sIT3gvh.mkv") returned=".mkv" [0104.038] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0104.039] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0104.039] lstrcmpiW (lpString1="sIT3gvh.mkv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0104.039] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\sIT3gvh.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\sit3gvh.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.039] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=35220) returned 1 [0104.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.039] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.039] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.039] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.039] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.040] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.042] GetTickCount () returned 0x115b293 [0104.042] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0104.042] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0104.042] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8994, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.042] SetLastError (dwErrCode=0x0) [0104.042] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.043] GetLastError () returned 0x0 [0104.043] GetLastError () returned 0x0 [0104.043] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8a94, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.043] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.043] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8b94, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.043] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39009db7, dwHighDateTime=0x1d5f971)) [0104.043] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0104.043] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0104.043] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.043] GetProcessHeap () returned 0xbc0000 [0104.043] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8994) returned 0xbf1630 [0104.043] GetSystemDefaultLangID () returned 0xbd0409 [0104.043] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.043] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x8994, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x8994, lpOverlapped=0x0) returned 1 [0104.045] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.045] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x8994, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x8994, lpOverlapped=0x0) returned 1 [0104.045] GetProcessHeap () returned 0xbc0000 [0104.045] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.045] CloseHandle (hObject=0x26c) returned 1 [0104.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.045] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.045] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\sIT3gvh.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\sit3gvh.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\sIT3gvh.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\sit3gvh.mkv.nefilim")) returned 1 [0104.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.046] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.046] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf23d50, ftCreationTime.dwHighDateTime=0x1d5f038, ftLastAccessTime.dwLowDateTime=0x82a91a30, ftLastAccessTime.dwHighDateTime=0x1d5ee37, ftLastWriteTime.dwLowDateTime=0x82a91a30, ftLastWriteTime.dwHighDateTime=0x1d5ee37, nFileSizeHigh=0x0, nFileSizeLow=0x12ed8, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="SrDnpOBF_kLfV_HW.bmp", cAlternateFileName="SRDNPO~1.BMP")) returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2=".") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="..") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="...") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="windows") returned -1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="$RECYCLE.BIN") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="rsa") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="NTDETECT.COM") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="ntldr") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="MSDOS.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="IO.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="boot.ini") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="ntuser.dat") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="desktop.ini") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="CONFIG.SYS") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="RECYCLER") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="BOOTSECT.BAK") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="bootmgr") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="programdata") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="appdata") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="program files") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="program files (x86)") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="microsoft") returned 1 [0104.047] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="sophos") returned 1 [0104.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0104.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.047] PathFindExtensionW (pszPath="SrDnpOBF_kLfV_HW.bmp") returned=".bmp" [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0104.047] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0104.048] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0104.048] lstrcmpiW (lpString1="SrDnpOBF_kLfV_HW.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.048] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\SrDnpOBF_kLfV_HW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\srdnpobf_klfv_hw.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.048] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=77528) returned 1 [0104.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0104.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.048] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0104.048] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.048] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.048] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.049] GetTickCount () returned 0x115b2a3 [0104.049] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0104.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0104.049] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12ed8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.049] SetLastError (dwErrCode=0x0) [0104.049] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.050] GetLastError () returned 0x0 [0104.050] GetLastError () returned 0x0 [0104.050] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12fd8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.050] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.050] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x130d8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.050] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3902ff01, dwHighDateTime=0x1d5f971)) [0104.050] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0104.050] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.050] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.050] GetProcessHeap () returned 0xbc0000 [0104.050] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12ed8) returned 0xbf1630 [0104.050] GetSystemDefaultLangID () returned 0xbd0409 [0104.050] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.050] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x12ed8, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x12ed8, lpOverlapped=0x0) returned 1 [0104.054] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.054] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x12ed8, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x12ed8, lpOverlapped=0x0) returned 1 [0104.055] GetProcessHeap () returned 0xbc0000 [0104.055] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.055] CloseHandle (hObject=0x26c) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0104.055] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\SrDnpOBF_kLfV_HW.bmp" (normalized: "c:\\users\\fd1hvy\\desktop\\srdnpobf_klfv_hw.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\SrDnpOBF_kLfV_HW.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\srdnpobf_klfv_hw.bmp.nefilim")) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.055] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf958bf0, ftCreationTime.dwHighDateTime=0x1d5f097, ftLastAccessTime.dwLowDateTime=0xe40584b0, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0xe40584b0, ftLastWriteTime.dwHighDateTime=0x1d5e222, nFileSizeHigh=0x0, nFileSizeLow=0x3eb1, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="UceILDLIzRJdrP.mkv", cAlternateFileName="UCEILD~1.MKV")) returned 1 [0104.055] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2=".") returned 1 [0104.055] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="..") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="...") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="windows") returned -1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="$RECYCLE.BIN") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="rsa") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="NTDETECT.COM") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="ntldr") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="MSDOS.SYS") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="IO.SYS") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="boot.ini") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="ntuser.dat") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="desktop.ini") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="CONFIG.SYS") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="RECYCLER") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="BOOTSECT.BAK") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="bootmgr") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="programdata") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="appdata") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="program files") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="program files (x86)") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="microsoft") returned 1 [0104.056] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="sophos") returned 1 [0104.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.056] PathFindExtensionW (pszPath="UceILDLIzRJdrP.mkv") returned=".mkv" [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0104.056] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0104.057] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0104.057] lstrcmpiW (lpString1="UceILDLIzRJdrP.mkv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0104.057] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\UceILDLIzRJdrP.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\uceildlizrjdrp.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.057] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=16049) returned 1 [0104.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0104.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.057] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0104.057] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.057] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.058] GetTickCount () returned 0x115b2a3 [0104.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0104.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0104.058] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3eb1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.058] SetLastError (dwErrCode=0x0) [0104.058] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.059] GetLastError () returned 0x0 [0104.059] GetLastError () returned 0x0 [0104.059] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3fb1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.059] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.059] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x40b1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.059] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3902ff01, dwHighDateTime=0x1d5f971)) [0104.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0104.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.059] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.059] GetProcessHeap () returned 0xbc0000 [0104.059] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3eb1) returned 0xbf1630 [0104.059] GetSystemDefaultLangID () returned 0xbd0409 [0104.059] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.059] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x3eb1, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x3eb1, lpOverlapped=0x0) returned 1 [0104.060] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.060] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x3eb1, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x3eb1, lpOverlapped=0x0) returned 1 [0104.060] GetProcessHeap () returned 0xbc0000 [0104.060] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.060] CloseHandle (hObject=0x26c) returned 1 [0104.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0104.061] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\UceILDLIzRJdrP.mkv" (normalized: "c:\\users\\fd1hvy\\desktop\\uceildlizrjdrp.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\UceILDLIzRJdrP.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\uceildlizrjdrp.mkv.nefilim")) returned 1 [0104.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.061] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56106d00, ftCreationTime.dwHighDateTime=0x1d5f073, ftLastAccessTime.dwLowDateTime=0xceea0e40, ftLastAccessTime.dwHighDateTime=0x1d5e4a5, ftLastWriteTime.dwLowDateTime=0xceea0e40, ftLastWriteTime.dwHighDateTime=0x1d5e4a5, nFileSizeHigh=0x0, nFileSizeLow=0xbe9f, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="V6bhgOynmwsRdcnPnqX.mp3", cAlternateFileName="V6BHGO~1.MP3")) returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2=".") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="..") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="...") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="windows") returned -1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="$RECYCLE.BIN") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="rsa") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="NTDETECT.COM") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="ntldr") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="MSDOS.SYS") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="IO.SYS") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="boot.ini") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="ntuser.dat") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="desktop.ini") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="CONFIG.SYS") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="RECYCLER") returned 1 [0104.061] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="BOOTSECT.BAK") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="bootmgr") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="programdata") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="appdata") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="program files") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="program files (x86)") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="microsoft") returned 1 [0104.115] lstrcmpiW (lpString1="V6bhgOynmwsRdcnPnqX.mp3", lpString2="sophos") returned 1 [0104.115] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0104.116] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.116] PathFindExtensionW (pszPath="V6bhgOynmwsRdcnPnqX.mp3") returned=".mp3" [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0104.116] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0104.116] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8db03230, ftCreationTime.dwHighDateTime=0x1d5e2aa, ftLastAccessTime.dwLowDateTime=0xa7f5870, ftLastAccessTime.dwHighDateTime=0x1d5e1d1, ftLastWriteTime.dwLowDateTime=0xa7f5870, ftLastWriteTime.dwHighDateTime=0x1d5e1d1, nFileSizeHigh=0x0, nFileSizeLow=0xd124, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="XLzsnsx_MXjyX.wav", cAlternateFileName="XLZSNS~1.WAV")) returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2=".") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="..") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="...") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="windows") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="$RECYCLE.BIN") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="rsa") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="NTDETECT.COM") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="ntldr") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="MSDOS.SYS") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="IO.SYS") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="boot.ini") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="AUTOEXEC.BAT") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="ntuser.dat") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="desktop.ini") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="CONFIG.SYS") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="RECYCLER") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="BOOTSECT.BAK") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="bootmgr") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="programdata") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="appdata") returned 1 [0104.116] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="program files") returned 1 [0104.117] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="program files (x86)") returned 1 [0104.117] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="microsoft") returned 1 [0104.117] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="sophos") returned 1 [0104.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.117] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.117] PathFindExtensionW (pszPath="XLzsnsx_MXjyX.wav") returned=".wav" [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0104.117] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0104.117] lstrcmpiW (lpString1="XLzsnsx_MXjyX.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680508 [0104.117] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\XLzsnsx_MXjyX.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\xlzsnsx_mxjyx.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.118] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=53540) returned 1 [0104.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.119] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.119] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.119] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.119] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.119] GetTickCount () returned 0x115b2e1 [0104.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0104.119] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0104.119] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd124, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.119] SetLastError (dwErrCode=0x0) [0104.120] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.121] GetLastError () returned 0x0 [0104.121] GetLastError () returned 0x0 [0104.121] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd224, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.121] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.121] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd324, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.121] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x390c86c9, dwHighDateTime=0x1d5f971)) [0104.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0104.121] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.121] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.121] GetProcessHeap () returned 0xbc0000 [0104.121] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd124) returned 0xbf1630 [0104.121] GetSystemDefaultLangID () returned 0xbd0409 [0104.121] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.121] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xd124, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xd124, lpOverlapped=0x0) returned 1 [0104.124] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.124] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xd124, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xd124, lpOverlapped=0x0) returned 1 [0104.125] GetProcessHeap () returned 0xbc0000 [0104.125] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.126] CloseHandle (hObject=0x26c) returned 1 [0104.126] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.126] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.126] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.126] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0104.126] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\XLzsnsx_MXjyX.wav" (normalized: "c:\\users\\fd1hvy\\desktop\\xlzsnsx_mxjyx.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\XLzsnsx_MXjyX.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\xlzsnsx_mxjyx.wav.nefilim")) returned 1 [0104.127] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.127] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.127] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc04d0110, ftCreationTime.dwHighDateTime=0x1d5e146, ftLastAccessTime.dwLowDateTime=0xd7266c50, ftLastAccessTime.dwHighDateTime=0x1d5e7a4, ftLastWriteTime.dwLowDateTime=0xd7266c50, ftLastWriteTime.dwHighDateTime=0x1d5e7a4, nFileSizeHigh=0x0, nFileSizeLow=0x1387b, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="_q1s4Nsj.flv", cAlternateFileName="")) returned 1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2=".") returned 1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="..") returned 1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="...") returned 1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="windows") returned -1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="$RECYCLE.BIN") returned 1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="rsa") returned -1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="NTDETECT.COM") returned -1 [0104.127] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="ntldr") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="MSDOS.SYS") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="IO.SYS") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="boot.ini") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="AUTOEXEC.BAT") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="ntuser.dat") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="desktop.ini") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="CONFIG.SYS") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="RECYCLER") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="BOOTSECT.BAK") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="bootmgr") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="programdata") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="appdata") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="program files") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="program files (x86)") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="microsoft") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="sophos") returned -1 [0104.128] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0104.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.128] PathFindExtensionW (pszPath="_q1s4Nsj.flv") returned=".flv" [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0104.128] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0104.128] lstrcmpiW (lpString1="_q1s4Nsj.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0104.129] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\_q1s4Nsj.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\_q1s4nsj.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.129] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=79995) returned 1 [0104.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.129] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.129] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0104.129] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.129] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.131] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.132] GetTickCount () returned 0x115b2f1 [0104.132] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0104.132] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0104.132] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1387b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.132] SetLastError (dwErrCode=0x0) [0104.132] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.133] GetLastError () returned 0x0 [0104.133] GetLastError () returned 0x0 [0104.133] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1397b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.133] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.133] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13a7b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.133] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x390eeae0, dwHighDateTime=0x1d5f971)) [0104.133] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0104.133] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0104.133] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.133] GetProcessHeap () returned 0xbc0000 [0104.133] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1387b) returned 0xbf1630 [0104.133] GetSystemDefaultLangID () returned 0xbd0409 [0104.133] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.133] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1387b, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1387b, lpOverlapped=0x0) returned 1 [0104.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.138] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1387b, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1387b, lpOverlapped=0x0) returned 1 [0104.138] GetProcessHeap () returned 0xbc0000 [0104.138] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.138] CloseHandle (hObject=0x26c) returned 1 [0104.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0104.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.139] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.139] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\_q1s4Nsj.flv" (normalized: "c:\\users\\fd1hvy\\desktop\\_q1s4nsj.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\_q1s4Nsj.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\_q1s4nsj.flv.nefilim")) returned 1 [0104.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.139] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b0ea5e0, ftCreationTime.dwHighDateTime=0x1d5ef9b, ftLastAccessTime.dwLowDateTime=0x14a474b0, ftLastAccessTime.dwHighDateTime=0x1d5ec18, ftLastWriteTime.dwLowDateTime=0x14a474b0, ftLastWriteTime.dwHighDateTime=0x1d5ec18, nFileSizeHigh=0x0, nFileSizeLow=0x60f2, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="_whK72yh8hi.png", cAlternateFileName="_WHK72~1.PNG")) returned 1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2=".") returned 1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="..") returned 1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="...") returned 1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="windows") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="$RECYCLE.BIN") returned 1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="rsa") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="NTDETECT.COM") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="ntldr") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="MSDOS.SYS") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="IO.SYS") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="boot.ini") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="AUTOEXEC.BAT") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="ntuser.dat") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="desktop.ini") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="CONFIG.SYS") returned -1 [0104.139] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="RECYCLER") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="BOOTSECT.BAK") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="bootmgr") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="programdata") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="appdata") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="program files") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="program files (x86)") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="microsoft") returned -1 [0104.140] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="sophos") returned -1 [0104.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680508 [0104.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.140] PathFindExtensionW (pszPath="_whK72yh8hi.png") returned=".png" [0104.140] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0104.140] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0104.141] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0104.141] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0104.141] lstrcmpiW (lpString1="_whK72yh8hi.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0104.141] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\_whK72yh8hi.png" (normalized: "c:\\users\\fd1hvy\\desktop\\_whk72yh8hi.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.141] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=24818) returned 1 [0104.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0104.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.141] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0104.141] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.141] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.142] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.143] GetTickCount () returned 0x115b300 [0104.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0104.143] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0104.143] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x60f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.143] SetLastError (dwErrCode=0x0) [0104.143] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.144] GetLastError () returned 0x0 [0104.144] GetLastError () returned 0x0 [0104.144] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x61f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.144] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.144] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x62f2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.144] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39114b63, dwHighDateTime=0x1d5f971)) [0104.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680560 [0104.144] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680560 | out: hHeap=0x2680000) returned 1 [0104.144] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.145] GetProcessHeap () returned 0xbc0000 [0104.145] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x60f2) returned 0xbf1630 [0104.145] GetSystemDefaultLangID () returned 0xbd0409 [0104.145] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.145] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x60f2, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x60f2, lpOverlapped=0x0) returned 1 [0104.146] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.146] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x60f2, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x60f2, lpOverlapped=0x0) returned 1 [0104.146] GetProcessHeap () returned 0xbc0000 [0104.146] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.146] CloseHandle (hObject=0x26c) returned 1 [0104.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0104.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.146] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.146] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.146] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Desktop\\_whK72yh8hi.png" (normalized: "c:\\users\\fd1hvy\\desktop\\_whk72yh8hi.png"), lpNewFileName="C:\\Users\\FD1HVy\\Desktop\\_whK72yh8hi.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\desktop\\_whk72yh8hi.png.nefilim")) returned 1 [0104.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0104.147] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b0ea5e0, ftCreationTime.dwHighDateTime=0x1d5ef9b, ftLastAccessTime.dwLowDateTime=0x14a474b0, ftLastAccessTime.dwHighDateTime=0x1d5ec18, ftLastWriteTime.dwLowDateTime=0x14a474b0, ftLastWriteTime.dwHighDateTime=0x1d5ec18, nFileSizeHigh=0x0, nFileSizeLow=0x60f2, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="_whK72yh8hi.png", cAlternateFileName="_WHK72~1.PNG")) returned 0 [0104.147] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0104.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680508 | out: hHeap=0x2680000) returned 1 [0104.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0104.147] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0104.147] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe55eaee3, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe55eaee3, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0104.147] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0104.148] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0104.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0104.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0104.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0104.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.148] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe55eaee3, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe55eaee3, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0104.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.148] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe55eaee3, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe55eaee3, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0104.148] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.148] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.148] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5d9b6a30, ftCreationTime.dwHighDateTime=0x1d5dede, ftLastAccessTime.dwLowDateTime=0xb3adb40, ftLastAccessTime.dwHighDateTime=0x1d59659, ftLastWriteTime.dwLowDateTime=0xb3adb40, ftLastWriteTime.dwHighDateTime=0x1d59659, nFileSizeHigh=0x0, nFileSizeLow=0x3030, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="0IIczKQ.docx", cAlternateFileName="0IICZK~1.DOC")) returned 1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2=".") returned 1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="..") returned 1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="...") returned 1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="windows") returned -1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="rsa") returned -1 [0104.148] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="NTDETECT.COM") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="ntldr") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="MSDOS.SYS") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="IO.SYS") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="boot.ini") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="AUTOEXEC.BAT") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="ntuser.dat") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="desktop.ini") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="CONFIG.SYS") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="RECYCLER") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="BOOTSECT.BAK") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="bootmgr") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="programdata") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="appdata") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="program files") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="program files (x86)") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="microsoft") returned -1 [0104.149] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="sophos") returned -1 [0104.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0104.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.149] PathFindExtensionW (pszPath="0IIczKQ.docx") returned=".docx" [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.149] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.150] lstrcmpiW (lpString1="0IIczKQ.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0104.150] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\0IIczKQ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0iiczkq.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.150] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=12336) returned 1 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.150] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.150] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.150] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.150] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.150] GetTickCount () returned 0x115b300 [0104.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0104.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0104.150] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3030, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.151] SetLastError (dwErrCode=0x0) [0104.151] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.151] GetLastError () returned 0x0 [0104.151] GetLastError () returned 0x0 [0104.151] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3130, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.151] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.152] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3230, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.152] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39114b63, dwHighDateTime=0x1d5f971)) [0104.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.152] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.152] GetProcessHeap () returned 0xbc0000 [0104.152] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3030) returned 0xbf1630 [0104.152] GetSystemDefaultLangID () returned 0xbd0409 [0104.152] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.152] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x3030, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x3030, lpOverlapped=0x0) returned 1 [0104.152] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.153] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x3030, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x3030, lpOverlapped=0x0) returned 1 [0104.153] GetProcessHeap () returned 0xbc0000 [0104.153] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.153] CloseHandle (hObject=0x26c) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0104.153] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\0IIczKQ.docx" (normalized: "c:\\users\\fd1hvy\\documents\\0iiczkq.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\0IIczKQ.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\0iiczkq.docx.nefilim")) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0104.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.153] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79a20b70, ftCreationTime.dwHighDateTime=0x1d5ea6f, ftLastAccessTime.dwLowDateTime=0x927775f0, ftLastAccessTime.dwHighDateTime=0x1d5ee29, ftLastWriteTime.dwLowDateTime=0x927775f0, ftLastWriteTime.dwHighDateTime=0x1d5ee29, nFileSizeHigh=0x0, nFileSizeLow=0x1695d, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="6jndOuUthd_r9H0HkjwW.ppt", cAlternateFileName="6JNDOU~1.PPT")) returned 1 [0104.153] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2=".") returned 1 [0104.153] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="..") returned 1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="...") returned 1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="windows") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="$RECYCLE.BIN") returned 1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="rsa") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="NTDETECT.COM") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="ntldr") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="MSDOS.SYS") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="IO.SYS") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="boot.ini") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="AUTOEXEC.BAT") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="ntuser.dat") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="desktop.ini") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="CONFIG.SYS") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="RECYCLER") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="BOOTSECT.BAK") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="bootmgr") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="programdata") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="appdata") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="program files") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="program files (x86)") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="microsoft") returned -1 [0104.154] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="sophos") returned -1 [0104.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0104.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0104.154] PathFindExtensionW (pszPath="6jndOuUthd_r9H0HkjwW.ppt") returned=".ppt" [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0104.154] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0104.155] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0104.155] lstrcmpiW (lpString1="6jndOuUthd_r9H0HkjwW.ppt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0104.155] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\6jndOuUthd_r9H0HkjwW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6jndouuthd_r9h0hkjww.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.155] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=92509) returned 1 [0104.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.155] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.155] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.155] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.206] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.206] GetTickCount () returned 0x115b33f [0104.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0104.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0104.206] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1695d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.206] SetLastError (dwErrCode=0x0) [0104.206] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.207] GetLastError () returned 0x0 [0104.207] GetLastError () returned 0x0 [0104.207] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16a5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.207] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.207] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16b5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.207] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x391ad45d, dwHighDateTime=0x1d5f971)) [0104.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.207] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.207] GetProcessHeap () returned 0xbc0000 [0104.207] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1695d) returned 0xbf1630 [0104.207] GetSystemDefaultLangID () returned 0xbd0409 [0104.207] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.207] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1695d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1695d, lpOverlapped=0x0) returned 1 [0104.212] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.213] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1695d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1695d, lpOverlapped=0x0) returned 1 [0104.213] GetProcessHeap () returned 0xbc0000 [0104.213] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.213] CloseHandle (hObject=0x26c) returned 1 [0104.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0104.213] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\6jndOuUthd_r9H0HkjwW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\6jndouuthd_r9h0hkjww.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\6jndOuUthd_r9H0HkjwW.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\6jndouuthd_r9h0hkjww.ppt.nefilim")) returned 1 [0104.214] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.214] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0104.214] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a817860, ftCreationTime.dwHighDateTime=0x1d578f6, ftLastAccessTime.dwLowDateTime=0x1f989bd0, ftLastAccessTime.dwHighDateTime=0x1d58584, ftLastWriteTime.dwLowDateTime=0x1f989bd0, ftLastWriteTime.dwHighDateTime=0x1d58584, nFileSizeHigh=0x0, nFileSizeLow=0x105bc, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="avJ4t4nIg ueZO_Jccgn.docx", cAlternateFileName="AVJ4T4~1.DOC")) returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2=".") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="..") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="...") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="windows") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="rsa") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="NTDETECT.COM") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="ntldr") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="MSDOS.SYS") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="IO.SYS") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="boot.ini") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="AUTOEXEC.BAT") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="ntuser.dat") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="desktop.ini") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="CONFIG.SYS") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="RECYCLER") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="BOOTSECT.BAK") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="bootmgr") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="programdata") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="appdata") returned 1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="program files") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="program files (x86)") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="microsoft") returned -1 [0104.214] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="sophos") returned -1 [0104.214] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0104.215] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.215] PathFindExtensionW (pszPath="avJ4t4nIg ueZO_Jccgn.docx") returned=".docx" [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.215] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.215] lstrcmpiW (lpString1="avJ4t4nIg ueZO_Jccgn.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0104.215] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\avJ4t4nIg ueZO_Jccgn.docx" (normalized: "c:\\users\\fd1hvy\\documents\\avj4t4nig uezo_jccgn.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.215] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=67004) returned 1 [0104.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.215] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.215] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.215] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.216] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.217] GetTickCount () returned 0x115b33f [0104.217] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0104.217] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0104.217] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x105bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.217] SetLastError (dwErrCode=0x0) [0104.217] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.219] GetLastError () returned 0x0 [0104.219] GetLastError () returned 0x0 [0104.219] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x106bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.219] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.219] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x107bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.219] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x391d3875, dwHighDateTime=0x1d5f971)) [0104.219] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.219] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.219] GetProcessHeap () returned 0xbc0000 [0104.219] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x105bc) returned 0xbf1630 [0104.220] GetSystemDefaultLangID () returned 0xbd0409 [0104.220] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.220] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x105bc, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x105bc, lpOverlapped=0x0) returned 1 [0104.224] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.224] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x105bc, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x105bc, lpOverlapped=0x0) returned 1 [0104.224] GetProcessHeap () returned 0xbc0000 [0104.224] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.224] CloseHandle (hObject=0x26c) returned 1 [0104.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.224] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.224] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0104.224] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\avJ4t4nIg ueZO_Jccgn.docx" (normalized: "c:\\users\\fd1hvy\\documents\\avj4t4nig uezo_jccgn.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\avJ4t4nIg ueZO_Jccgn.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\avj4t4nig uezo_jccgn.docx.nefilim")) returned 1 [0104.225] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.225] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.225] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3340555c, ftCreationTime.dwHighDateTime=0x1d327b6, ftLastAccessTime.dwLowDateTime=0x3396299d, ftLastAccessTime.dwHighDateTime=0x1d327b6, ftLastWriteTime.dwLowDateTime=0x9daec75b, ftLastWriteTime.dwHighDateTime=0x1d3aafb, nFileSizeHigh=0x0, nFileSizeLow=0x55000, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Database1.accdb", cAlternateFileName="DATABA~1.ACC")) returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2=".") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="..") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="...") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="windows") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="$RECYCLE.BIN") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="rsa") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="NTDETECT.COM") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntldr") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="MSDOS.SYS") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="IO.SYS") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="boot.ini") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="AUTOEXEC.BAT") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="ntuser.dat") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="desktop.ini") returned -1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="CONFIG.SYS") returned 1 [0104.225] lstrcmpiW (lpString1="Database1.accdb", lpString2="RECYCLER") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="BOOTSECT.BAK") returned 1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="bootmgr") returned 1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="programdata") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="appdata") returned 1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="program files") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="program files (x86)") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="microsoft") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="sophos") returned -1 [0104.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.226] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0104.226] PathFindExtensionW (pszPath="Database1.accdb") returned=".accdb" [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".exe") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".log") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".cab") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".cmd") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".com") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".cpl") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".ini") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".dll") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".url") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".ttf") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".mp3") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".pif") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".mp4") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".NEFILIM") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".msi") returned -1 [0104.226] lstrcmpiW (lpString1=".accdb", lpString2=".lnk") returned -1 [0104.226] lstrcmpiW (lpString1="Database1.accdb", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.226] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0104.226] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.227] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=348160) returned 1 [0104.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.227] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.227] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.227] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.228] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.229] GetTickCount () returned 0x115b34f [0104.229] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0104.229] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0104.229] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55000, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.229] SetLastError (dwErrCode=0x0) [0104.229] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.230] GetLastError () returned 0x0 [0104.230] GetLastError () returned 0x0 [0104.230] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.231] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.231] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x55200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.231] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x391d3875, dwHighDateTime=0x1d5f971)) [0104.231] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.231] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.231] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.231] GetProcessHeap () returned 0xbc0000 [0104.231] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x55000) returned 0xbf1630 [0104.232] GetSystemDefaultLangID () returned 0xbd0409 [0104.232] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.232] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x55000, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x55000, lpOverlapped=0x0) returned 1 [0104.314] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.314] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x55000, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x55000, lpOverlapped=0x0) returned 1 [0104.315] GetProcessHeap () returned 0xbc0000 [0104.315] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.318] CloseHandle (hObject=0x26c) returned 1 [0104.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.318] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.318] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0104.318] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Database1.accdb.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\database1.accdb.nefilim")) returned 1 [0104.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.319] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x86487c20, ftCreationTime.dwHighDateTime=0x1d5801a, ftLastAccessTime.dwLowDateTime=0x84fe4000, ftLastAccessTime.dwHighDateTime=0x1d58b2a, ftLastWriteTime.dwLowDateTime=0x84fe4000, ftLastWriteTime.dwHighDateTime=0x1d58b2a, nFileSizeHigh=0x0, nFileSizeLow=0x5852, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="dDxtabW-7BjsL.docx", cAlternateFileName="DDXTAB~1.DOC")) returned 1 [0104.319] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2=".") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="..") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="...") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="windows") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="rsa") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="NTDETECT.COM") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="ntldr") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="MSDOS.SYS") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="IO.SYS") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="boot.ini") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="AUTOEXEC.BAT") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="ntuser.dat") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="desktop.ini") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="CONFIG.SYS") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="RECYCLER") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="BOOTSECT.BAK") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="bootmgr") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="programdata") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="appdata") returned 1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="program files") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="program files (x86)") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="microsoft") returned -1 [0104.320] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="sophos") returned -1 [0104.320] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0104.320] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.320] PathFindExtensionW (pszPath="dDxtabW-7BjsL.docx") returned=".docx" [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.320] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.321] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.321] lstrcmpiW (lpString1="dDxtabW-7BjsL.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.321] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\dDxtabW-7BjsL.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ddxtabw-7bjsl.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.321] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=22610) returned 1 [0104.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.321] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.321] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.321] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.321] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.322] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.322] GetTickCount () returned 0x115b3ac [0104.322] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0104.322] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0104.322] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5852, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.322] SetLastError (dwErrCode=0x0) [0104.322] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.323] GetLastError () returned 0x0 [0104.323] GetLastError () returned 0x0 [0104.323] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5952, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.323] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.323] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5a52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.323] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x392b85c6, dwHighDateTime=0x1d5f971)) [0104.323] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0104.323] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.323] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.323] GetProcessHeap () returned 0xbc0000 [0104.323] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5852) returned 0xbf1630 [0104.323] GetSystemDefaultLangID () returned 0xbd0409 [0104.323] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.324] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x5852, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x5852, lpOverlapped=0x0) returned 1 [0104.325] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.325] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x5852, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x5852, lpOverlapped=0x0) returned 1 [0104.325] GetProcessHeap () returned 0xbc0000 [0104.325] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.325] CloseHandle (hObject=0x26c) returned 1 [0104.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0104.325] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\dDxtabW-7BjsL.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ddxtabw-7bjsl.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\dDxtabW-7BjsL.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ddxtabw-7bjsl.docx.nefilim")) returned 1 [0104.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.326] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440c5760, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440c5760, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce494f1d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0104.326] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0104.326] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4ce69870, ftCreationTime.dwHighDateTime=0x1d5e723, ftLastAccessTime.dwLowDateTime=0xf50b0a60, ftLastAccessTime.dwHighDateTime=0x1d5eca8, ftLastWriteTime.dwLowDateTime=0xf50b0a60, ftLastWriteTime.dwHighDateTime=0x1d5eca8, nFileSizeHigh=0x0, nFileSizeLow=0x4e2c, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Eut97Pa3.docx", cAlternateFileName="EUT97P~1.DOC")) returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2=".") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="..") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="...") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="windows") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="rsa") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="NTDETECT.COM") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="ntldr") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="MSDOS.SYS") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="IO.SYS") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="boot.ini") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="AUTOEXEC.BAT") returned 1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="ntuser.dat") returned -1 [0104.326] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="desktop.ini") returned 1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="CONFIG.SYS") returned 1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="RECYCLER") returned -1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="BOOTSECT.BAK") returned 1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="bootmgr") returned 1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="programdata") returned -1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="appdata") returned 1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="program files") returned -1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="program files (x86)") returned -1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="microsoft") returned -1 [0104.327] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="sophos") returned -1 [0104.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0104.327] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0104.327] PathFindExtensionW (pszPath="Eut97Pa3.docx") returned=".docx" [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.327] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.328] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.328] lstrcmpiW (lpString1="Eut97Pa3.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0104.328] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Eut97Pa3.docx" (normalized: "c:\\users\\fd1hvy\\documents\\eut97pa3.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.328] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=20012) returned 1 [0104.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.329] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.329] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.329] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.329] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.329] GetTickCount () returned 0x115b3bc [0104.329] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0104.329] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0104.329] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4e2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.329] SetLastError (dwErrCode=0x0) [0104.329] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.330] GetLastError () returned 0x0 [0104.330] GetLastError () returned 0x0 [0104.330] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4f2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.330] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.330] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x502c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.330] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x392de768, dwHighDateTime=0x1d5f971)) [0104.330] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0104.330] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0104.330] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.331] GetProcessHeap () returned 0xbc0000 [0104.331] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4e2c) returned 0xbf1630 [0104.331] GetSystemDefaultLangID () returned 0xbd0409 [0104.331] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.331] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x4e2c, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x4e2c, lpOverlapped=0x0) returned 1 [0104.332] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.332] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x4e2c, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x4e2c, lpOverlapped=0x0) returned 1 [0104.332] GetProcessHeap () returned 0xbc0000 [0104.332] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.332] CloseHandle (hObject=0x26c) returned 1 [0104.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.332] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0104.332] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Eut97Pa3.docx" (normalized: "c:\\users\\fd1hvy\\documents\\eut97pa3.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Eut97Pa3.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\eut97pa3.docx.nefilim")) returned 1 [0104.332] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0104.333] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x153d19e0, ftCreationTime.dwHighDateTime=0x1d59763, ftLastAccessTime.dwLowDateTime=0x329f2a10, ftLastAccessTime.dwHighDateTime=0x1d5941a, ftLastWriteTime.dwLowDateTime=0x329f2a10, ftLastWriteTime.dwHighDateTime=0x1d5941a, nFileSizeHigh=0x0, nFileSizeLow=0xf42, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="F8yoqms.pptx", cAlternateFileName="F8YOQM~1.PPT")) returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2=".") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="..") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="...") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="windows") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="$RECYCLE.BIN") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="rsa") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="NTDETECT.COM") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="ntldr") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="MSDOS.SYS") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="IO.SYS") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="boot.ini") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="ntuser.dat") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="desktop.ini") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="CONFIG.SYS") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="RECYCLER") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="BOOTSECT.BAK") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="bootmgr") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="programdata") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="appdata") returned 1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="program files") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="program files (x86)") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="microsoft") returned -1 [0104.333] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="sophos") returned -1 [0104.333] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0104.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.333] PathFindExtensionW (pszPath="F8yoqms.pptx") returned=".pptx" [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0104.333] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0104.334] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0104.334] lstrcmpiW (lpString1="F8yoqms.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0104.334] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\F8yoqms.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\f8yoqms.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.334] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=3906) returned 1 [0104.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.334] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.334] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.334] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.334] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.335] GetTickCount () returned 0x115b3bc [0104.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0104.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0104.335] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf42, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.335] SetLastError (dwErrCode=0x0) [0104.335] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.336] GetLastError () returned 0x0 [0104.336] GetLastError () returned 0x0 [0104.336] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1042, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.336] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.336] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1142, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.336] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x392de768, dwHighDateTime=0x1d5f971)) [0104.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0104.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0104.336] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.336] GetProcessHeap () returned 0xbc0000 [0104.336] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf42) returned 0xbf1630 [0104.336] GetSystemDefaultLangID () returned 0xbd0409 [0104.336] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.336] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xf42, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xf42, lpOverlapped=0x0) returned 1 [0104.336] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.336] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xf42, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xf42, lpOverlapped=0x0) returned 1 [0104.337] GetProcessHeap () returned 0xbc0000 [0104.337] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.337] CloseHandle (hObject=0x26c) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.337] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0104.337] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\F8yoqms.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\f8yoqms.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\F8yoqms.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\f8yoqms.pptx.nefilim")) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.337] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbbce6180, ftCreationTime.dwHighDateTime=0x1d5b57a, ftLastAccessTime.dwLowDateTime=0x6f4d4d00, ftLastAccessTime.dwHighDateTime=0x1d57fdb, ftLastWriteTime.dwLowDateTime=0x6f4d4d00, ftLastWriteTime.dwHighDateTime=0x1d57fdb, nFileSizeHigh=0x0, nFileSizeLow=0x10494, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="FR0GHwLjyCrkW0aRJOvU.pptx", cAlternateFileName="FR0GHW~1.PPT")) returned 1 [0104.337] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2=".") returned 1 [0104.337] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="..") returned 1 [0104.337] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="...") returned 1 [0104.337] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="windows") returned -1 [0104.337] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="$RECYCLE.BIN") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="rsa") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="NTDETECT.COM") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="ntldr") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="MSDOS.SYS") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="IO.SYS") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="boot.ini") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="ntuser.dat") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="desktop.ini") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="CONFIG.SYS") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="RECYCLER") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="BOOTSECT.BAK") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="bootmgr") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="programdata") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="appdata") returned 1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="program files") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="program files (x86)") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="microsoft") returned -1 [0104.338] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="sophos") returned -1 [0104.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0104.338] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0104.338] PathFindExtensionW (pszPath="FR0GHwLjyCrkW0aRJOvU.pptx") returned=".pptx" [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0104.338] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0104.339] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0104.339] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0104.339] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0104.339] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0104.339] lstrcmpiW (lpString1="FR0GHwLjyCrkW0aRJOvU.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0104.339] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\FR0GHwLjyCrkW0aRJOvU.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\fr0ghwljycrkw0arjovu.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.339] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=66708) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.339] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.339] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.339] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.339] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.340] GetTickCount () returned 0x115b3bc [0104.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0104.340] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0104.340] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10494, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.340] SetLastError (dwErrCode=0x0) [0104.340] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.340] GetLastError () returned 0x0 [0104.340] GetLastError () returned 0x0 [0104.340] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10594, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.341] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.341] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10694, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.341] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x392de768, dwHighDateTime=0x1d5f971)) [0104.341] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0104.341] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.341] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.341] GetProcessHeap () returned 0xbc0000 [0104.341] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10494) returned 0xbf1630 [0104.341] GetSystemDefaultLangID () returned 0xbd0409 [0104.341] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.341] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x10494, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x10494, lpOverlapped=0x0) returned 1 [0104.528] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.528] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x10494, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x10494, lpOverlapped=0x0) returned 1 [0104.529] GetProcessHeap () returned 0xbc0000 [0104.529] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.529] CloseHandle (hObject=0x26c) returned 1 [0104.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0104.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.529] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0104.529] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\FR0GHwLjyCrkW0aRJOvU.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\fr0ghwljycrkw0arjovu.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\FR0GHwLjyCrkW0aRJOvU.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\fr0ghwljycrkw0arjovu.pptx.nefilim")) returned 1 [0104.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0104.530] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84c18ba0, ftCreationTime.dwHighDateTime=0x1d5f034, ftLastAccessTime.dwLowDateTime=0x97aaa710, ftLastAccessTime.dwHighDateTime=0x1d5645c, ftLastWriteTime.dwLowDateTime=0x97aaa710, ftLastWriteTime.dwHighDateTime=0x1d5645c, nFileSizeHigh=0x0, nFileSizeLow=0x10735, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="FyhuiO T.xlsx", cAlternateFileName="FYHUIO~1.XLS")) returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2=".") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="..") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="...") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="windows") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="rsa") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="NTDETECT.COM") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="ntldr") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="MSDOS.SYS") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="IO.SYS") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="boot.ini") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="ntuser.dat") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="desktop.ini") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="CONFIG.SYS") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="RECYCLER") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="bootmgr") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="programdata") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="appdata") returned 1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="program files") returned -1 [0104.530] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="program files (x86)") returned -1 [0104.531] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="microsoft") returned -1 [0104.531] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="sophos") returned -1 [0104.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680530 [0104.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.531] PathFindExtensionW (pszPath="FyhuiO T.xlsx") returned=".xlsx" [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0104.531] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0104.531] lstrcmpiW (lpString1="FyhuiO T.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0104.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\FyhuiO T.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\fyhuio t.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.531] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=67381) returned 1 [0104.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.531] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.532] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.532] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.532] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.532] GetTickCount () returned 0x115b477 [0104.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0104.532] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0104.532] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10735, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.532] SetLastError (dwErrCode=0x0) [0104.532] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.533] GetLastError () returned 0x0 [0104.533] GetLastError () returned 0x0 [0104.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10835, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.533] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10935, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.533] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x394ca6f4, dwHighDateTime=0x1d5f971)) [0104.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0104.533] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.533] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.533] GetProcessHeap () returned 0xbc0000 [0104.533] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10735) returned 0xbf1630 [0104.533] GetSystemDefaultLangID () returned 0xbd0409 [0104.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.534] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x10735, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x10735, lpOverlapped=0x0) returned 1 [0104.537] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.537] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x10735, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x10735, lpOverlapped=0x0) returned 1 [0104.537] GetProcessHeap () returned 0xbc0000 [0104.537] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.537] CloseHandle (hObject=0x26c) returned 1 [0104.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.537] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\FyhuiO T.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\fyhuio t.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\FyhuiO T.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\fyhuio t.xlsx.nefilim")) returned 1 [0104.538] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.538] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.538] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x77ebb620, ftCreationTime.dwHighDateTime=0x1d5da9b, ftLastAccessTime.dwLowDateTime=0x2d20b270, ftLastAccessTime.dwHighDateTime=0x1d5a572, ftLastWriteTime.dwLowDateTime=0x2d20b270, ftLastWriteTime.dwHighDateTime=0x1d5a572, nFileSizeHigh=0x0, nFileSizeLow=0x5f6d, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="gs6iptpLOt0ZFYd1EV.pptx", cAlternateFileName="GS6IPT~1.PPT")) returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2=".") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="..") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="...") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="windows") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="$RECYCLE.BIN") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="rsa") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="NTDETECT.COM") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="ntldr") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="MSDOS.SYS") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="IO.SYS") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="boot.ini") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="ntuser.dat") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="desktop.ini") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="CONFIG.SYS") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="RECYCLER") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="BOOTSECT.BAK") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="bootmgr") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="programdata") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="appdata") returned 1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="program files") returned -1 [0104.538] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="program files (x86)") returned -1 [0104.539] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="microsoft") returned -1 [0104.539] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="sophos") returned -1 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0104.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0104.539] PathFindExtensionW (pszPath="gs6iptpLOt0ZFYd1EV.pptx") returned=".pptx" [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0104.539] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0104.539] lstrcmpiW (lpString1="gs6iptpLOt0ZFYd1EV.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0104.539] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\gs6iptpLOt0ZFYd1EV.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\gs6iptplot0zfyd1ev.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.539] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=24429) returned 1 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0104.539] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.539] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0104.540] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.540] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.540] GetTickCount () returned 0x115b477 [0104.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0104.540] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0104.540] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5f6d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.540] SetLastError (dwErrCode=0x0) [0104.540] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.541] GetLastError () returned 0x0 [0104.541] GetLastError () returned 0x0 [0104.541] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x606d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.541] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.541] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x616d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.541] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x394ca6f4, dwHighDateTime=0x1d5f971)) [0104.541] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0104.541] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.541] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.541] GetProcessHeap () returned 0xbc0000 [0104.541] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5f6d) returned 0xbf1630 [0104.541] GetSystemDefaultLangID () returned 0xbd0409 [0104.541] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.541] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x5f6d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x5f6d, lpOverlapped=0x0) returned 1 [0104.543] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.543] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x5f6d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x5f6d, lpOverlapped=0x0) returned 1 [0104.543] GetProcessHeap () returned 0xbc0000 [0104.543] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.543] CloseHandle (hObject=0x26c) returned 1 [0104.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0104.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.543] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0104.543] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\gs6iptpLOt0ZFYd1EV.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\gs6iptplot0zfyd1ev.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\gs6iptpLOt0ZFYd1EV.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\gs6iptplot0zfyd1ev.pptx.nefilim")) returned 1 [0104.544] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.544] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0104.544] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fbb2540, ftCreationTime.dwHighDateTime=0x1d5e86e, ftLastAccessTime.dwLowDateTime=0x4500d960, ftLastAccessTime.dwHighDateTime=0x1d5e104, ftLastWriteTime.dwLowDateTime=0x4500d960, ftLastWriteTime.dwHighDateTime=0x1d5e104, nFileSizeHigh=0x0, nFileSizeLow=0x49d6, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="i5FKIwcJ-LzaunA_ 5.ppt", cAlternateFileName="I5FKIW~1.PPT")) returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2=".") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="..") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="...") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="windows") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="$RECYCLE.BIN") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="rsa") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="NTDETECT.COM") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="ntldr") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="MSDOS.SYS") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="IO.SYS") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="boot.ini") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="ntuser.dat") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="desktop.ini") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="CONFIG.SYS") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="RECYCLER") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="BOOTSECT.BAK") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="bootmgr") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="programdata") returned -1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="appdata") returned 1 [0104.544] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="program files") returned -1 [0104.545] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="program files (x86)") returned -1 [0104.545] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="microsoft") returned -1 [0104.545] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="sophos") returned -1 [0104.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0104.545] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.545] PathFindExtensionW (pszPath="i5FKIwcJ-LzaunA_ 5.ppt") returned=".ppt" [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0104.545] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0104.545] lstrcmpiW (lpString1="i5FKIwcJ-LzaunA_ 5.ppt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0104.545] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\i5FKIwcJ-LzaunA_ 5.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\i5fkiwcj-lzauna_ 5.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.545] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=18902) returned 1 [0104.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.546] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.546] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.546] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.546] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.546] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.547] GetTickCount () returned 0x115b487 [0104.547] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0104.547] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0104.547] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x49d6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.547] SetLastError (dwErrCode=0x0) [0104.547] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.548] GetLastError () returned 0x0 [0104.548] GetLastError () returned 0x0 [0104.548] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4ad6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.548] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.548] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4bd6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.548] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x394f0c99, dwHighDateTime=0x1d5f971)) [0104.548] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0104.548] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.548] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.548] GetProcessHeap () returned 0xbc0000 [0104.548] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x49d6) returned 0xbf1630 [0104.548] GetSystemDefaultLangID () returned 0xbd0409 [0104.548] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.548] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x49d6, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x49d6, lpOverlapped=0x0) returned 1 [0104.550] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.550] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x49d6, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x49d6, lpOverlapped=0x0) returned 1 [0104.550] GetProcessHeap () returned 0xbc0000 [0104.550] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.550] CloseHandle (hObject=0x26c) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.550] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0104.550] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\i5FKIwcJ-LzaunA_ 5.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\i5fkiwcj-lzauna_ 5.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\i5FKIwcJ-LzaunA_ 5.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\i5fkiwcj-lzauna_ 5.ppt.nefilim")) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.550] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.550] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaca0650, ftCreationTime.dwHighDateTime=0x1d5a76f, ftLastAccessTime.dwLowDateTime=0xd9011ed0, ftLastAccessTime.dwHighDateTime=0x1d5ebcd, ftLastWriteTime.dwLowDateTime=0xd9011ed0, ftLastWriteTime.dwHighDateTime=0x1d5ebcd, nFileSizeHigh=0x0, nFileSizeLow=0x3378, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="LXdXxYkn.xlsx", cAlternateFileName="LXDXXY~1.XLS")) returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2=".") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="..") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="...") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="windows") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="rsa") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="NTDETECT.COM") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="ntldr") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="MSDOS.SYS") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="IO.SYS") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="boot.ini") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="ntuser.dat") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="desktop.ini") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="CONFIG.SYS") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="RECYCLER") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="bootmgr") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="programdata") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="appdata") returned 1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="program files") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="program files (x86)") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="microsoft") returned -1 [0104.551] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="sophos") returned -1 [0104.551] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0104.551] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0104.551] PathFindExtensionW (pszPath="LXdXxYkn.xlsx") returned=".xlsx" [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0104.551] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0104.552] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0104.552] lstrcmpiW (lpString1="LXdXxYkn.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0104.552] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\LXdXxYkn.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\lxdxxykn.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0104.552] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=13176) returned 1 [0104.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.552] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.552] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.552] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.552] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0104.552] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0104.553] GetTickCount () returned 0x115b487 [0104.553] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0104.553] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0104.553] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3378, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.553] SetLastError (dwErrCode=0x0) [0104.553] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.554] GetLastError () returned 0x0 [0104.554] GetLastError () returned 0x0 [0104.554] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3478, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.554] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0104.554] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.554] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x394f0c99, dwHighDateTime=0x1d5f971)) [0104.554] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0104.554] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.554] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0104.554] GetProcessHeap () returned 0xbc0000 [0104.554] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3378) returned 0xbf1630 [0104.554] GetSystemDefaultLangID () returned 0xbd0409 [0104.554] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.554] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x3378, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x3378, lpOverlapped=0x0) returned 1 [0104.555] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.555] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x3378, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x3378, lpOverlapped=0x0) returned 1 [0104.555] GetProcessHeap () returned 0xbc0000 [0104.555] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0104.555] CloseHandle (hObject=0x26c) returned 1 [0104.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.555] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.555] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.555] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\LXdXxYkn.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\lxdxxykn.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\LXdXxYkn.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\lxdxxykn.xlsx.nefilim")) returned 1 [0104.556] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0104.556] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0104.556] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd09031a0, ftCreationTime.dwHighDateTime=0x1d5eec0, ftLastAccessTime.dwLowDateTime=0xcc3a0bd0, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0xcc3a0bd0, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="MS_cO3vREvvbe8GluAO", cAlternateFileName="MS_CO3~1")) returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2=".") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="..") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="...") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="windows") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="$RECYCLE.BIN") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="rsa") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="NTDETECT.COM") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="ntldr") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="MSDOS.SYS") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="IO.SYS") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="boot.ini") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="AUTOEXEC.BAT") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="ntuser.dat") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="desktop.ini") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="CONFIG.SYS") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="RECYCLER") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="BOOTSECT.BAK") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="bootmgr") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="programdata") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="appdata") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="program files") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="program files (x86)") returned -1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="microsoft") returned 1 [0104.556] lstrcmpiW (lpString1="MS_cO3vREvvbe8GluAO", lpString2="sophos") returned -1 [0104.556] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680510 [0104.556] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0104.556] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0104.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0104.557] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0104.557] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd09031a0, ftCreationTime.dwHighDateTime=0x1d5eec0, ftLastAccessTime.dwLowDateTime=0xcc3a0bd0, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0xcc3a0bd0, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0104.557] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.557] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd09031a0, ftCreationTime.dwHighDateTime=0x1d5eec0, ftLastAccessTime.dwLowDateTime=0xcc3a0bd0, ftLastAccessTime.dwHighDateTime=0x1d5e4d9, ftLastWriteTime.dwLowDateTime=0xcc3a0bd0, ftLastWriteTime.dwHighDateTime=0x1d5e4d9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0104.557] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.557] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.557] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dc8930, ftCreationTime.dwHighDateTime=0x1d5e787, ftLastAccessTime.dwLowDateTime=0xb3084290, ftLastAccessTime.dwHighDateTime=0x1d5e366, ftLastWriteTime.dwLowDateTime=0xb3084290, ftLastWriteTime.dwHighDateTime=0x1d5e366, nFileSizeHigh=0x0, nFileSizeLow=0x10561, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="02E15BBIE4Gj-.xls", cAlternateFileName="02E15B~1.XLS")) returned 1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2=".") returned 1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="..") returned 1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="...") returned 1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="windows") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="$RECYCLE.BIN") returned 1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="rsa") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="NTDETECT.COM") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="ntldr") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="MSDOS.SYS") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="IO.SYS") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="boot.ini") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="AUTOEXEC.BAT") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="ntuser.dat") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="desktop.ini") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="CONFIG.SYS") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="RECYCLER") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="BOOTSECT.BAK") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="bootmgr") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="programdata") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="appdata") returned -1 [0104.557] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="program files") returned -1 [0104.558] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="program files (x86)") returned -1 [0104.558] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="microsoft") returned -1 [0104.558] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="sophos") returned -1 [0104.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0104.558] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0104.558] PathFindExtensionW (pszPath="02E15BBIE4Gj-.xls") returned=".xls" [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0104.558] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0104.558] lstrcmpiW (lpString1="02E15BBIE4Gj-.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0104.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\02E15BBIE4Gj-.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\02e15bbie4gj-.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0104.558] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=66913) returned 1 [0104.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.558] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.558] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0104.559] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0104.559] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0104.559] GetTickCount () returned 0x115b487 [0104.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0104.559] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0104.560] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10561, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.560] SetLastError (dwErrCode=0x0) [0104.560] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0104.609] GetLastError () returned 0x0 [0104.609] GetLastError () returned 0x0 [0104.609] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10661, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.609] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0104.609] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10761, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.609] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x395895d6, dwHighDateTime=0x1d5f971)) [0104.609] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0104.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0104.609] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0104.609] GetProcessHeap () returned 0xbc0000 [0104.609] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10561) returned 0xbf2638 [0104.610] GetSystemDefaultLangID () returned 0xbd0409 [0104.610] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.610] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10561, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10561, lpOverlapped=0x0) returned 1 [0104.613] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.613] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10561, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10561, lpOverlapped=0x0) returned 1 [0104.614] GetProcessHeap () returned 0xbc0000 [0104.614] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0104.614] CloseHandle (hObject=0x270) returned 1 [0104.614] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.614] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0104.614] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.614] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.614] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0104.614] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\02E15BBIE4Gj-.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\02e15bbie4gj-.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\02E15BBIE4Gj-.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\02e15bbie4gj-.xls.nefilim")) returned 1 [0104.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0104.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0104.616] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccd3d450, ftCreationTime.dwHighDateTime=0x1d5e3e8, ftLastAccessTime.dwLowDateTime=0xd1fe93c0, ftLastAccessTime.dwHighDateTime=0x1d5edc5, ftLastWriteTime.dwLowDateTime=0xd1fe93c0, ftLastWriteTime.dwHighDateTime=0x1d5edc5, nFileSizeHigh=0x0, nFileSizeLow=0x220f, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="94v8.pps", cAlternateFileName="")) returned 1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2=".") returned 1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="..") returned 1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="...") returned 1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="windows") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="$RECYCLE.BIN") returned 1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="rsa") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="NTDETECT.COM") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="ntldr") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="MSDOS.SYS") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="IO.SYS") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="boot.ini") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="AUTOEXEC.BAT") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="ntuser.dat") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="desktop.ini") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="CONFIG.SYS") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="RECYCLER") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="BOOTSECT.BAK") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="bootmgr") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="programdata") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="appdata") returned -1 [0104.616] lstrcmpiW (lpString1="94v8.pps", lpString2="program files") returned -1 [0104.617] lstrcmpiW (lpString1="94v8.pps", lpString2="program files (x86)") returned -1 [0104.617] lstrcmpiW (lpString1="94v8.pps", lpString2="microsoft") returned -1 [0104.617] lstrcmpiW (lpString1="94v8.pps", lpString2="sophos") returned -1 [0104.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0104.617] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0104.617] PathFindExtensionW (pszPath="94v8.pps") returned=".pps" [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0104.617] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0104.617] lstrcmpiW (lpString1="94v8.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0104.617] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\94v8.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\94v8.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0104.617] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=8719) returned 1 [0104.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0104.617] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.617] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0104.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.618] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0104.618] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0104.619] GetTickCount () returned 0x115b4c6 [0104.619] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0104.619] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0104.619] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x220f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.619] SetLastError (dwErrCode=0x0) [0104.619] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0104.620] GetLastError () returned 0x0 [0104.620] GetLastError () returned 0x0 [0104.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x230f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.620] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0104.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x240f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.620] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x395895d6, dwHighDateTime=0x1d5f971)) [0104.620] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.620] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.620] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0104.620] GetProcessHeap () returned 0xbc0000 [0104.620] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x220f) returned 0xbf2638 [0104.620] GetSystemDefaultLangID () returned 0xbd0409 [0104.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.620] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x220f, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x220f, lpOverlapped=0x0) returned 1 [0104.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.621] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x220f, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x220f, lpOverlapped=0x0) returned 1 [0104.621] GetProcessHeap () returned 0xbc0000 [0104.621] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0104.621] CloseHandle (hObject=0x270) returned 1 [0104.621] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.621] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.621] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.621] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.621] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0104.621] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\94v8.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\94v8.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\94v8.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\94v8.pps.nefilim")) returned 1 [0104.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0104.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0104.622] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1609f0, ftCreationTime.dwHighDateTime=0x1d5e60b, ftLastAccessTime.dwLowDateTime=0x5b0b87e0, ftLastAccessTime.dwHighDateTime=0x1d5ef42, ftLastWriteTime.dwLowDateTime=0x5b0b87e0, ftLastWriteTime.dwHighDateTime=0x1d5ef42, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="bEUcpp", cAlternateFileName="")) returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2=".") returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="..") returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="...") returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="windows") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="$RECYCLE.BIN") returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="rsa") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="NTDETECT.COM") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="ntldr") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="MSDOS.SYS") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="IO.SYS") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="boot.ini") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="AUTOEXEC.BAT") returned 1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="ntuser.dat") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="desktop.ini") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="CONFIG.SYS") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="RECYCLER") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="BOOTSECT.BAK") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="bootmgr") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="programdata") returned -1 [0104.622] lstrcmpiW (lpString1="bEUcpp", lpString2="appdata") returned 1 [0104.690] lstrcmpiW (lpString1="bEUcpp", lpString2="program files") returned -1 [0104.690] lstrcmpiW (lpString1="bEUcpp", lpString2="program files (x86)") returned -1 [0104.690] lstrcmpiW (lpString1="bEUcpp", lpString2="microsoft") returned -1 [0104.690] lstrcmpiW (lpString1="bEUcpp", lpString2="sophos") returned -1 [0104.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0104.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0104.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0104.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0104.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e878 [0104.690] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1609f0, ftCreationTime.dwHighDateTime=0x1d5e60b, ftLastAccessTime.dwLowDateTime=0x5b0b87e0, ftLastAccessTime.dwHighDateTime=0x1d5ef42, ftLastWriteTime.dwLowDateTime=0x5b0b87e0, ftLastWriteTime.dwHighDateTime=0x1d5ef42, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0104.690] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.690] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1d1609f0, ftCreationTime.dwHighDateTime=0x1d5e60b, ftLastAccessTime.dwLowDateTime=0x5b0b87e0, ftLastAccessTime.dwHighDateTime=0x1d5ef42, ftLastWriteTime.dwLowDateTime=0x5b0b87e0, ftLastWriteTime.dwHighDateTime=0x1d5ef42, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0104.690] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.690] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.690] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x85a7f7b0, ftCreationTime.dwHighDateTime=0x1d5e536, ftLastAccessTime.dwLowDateTime=0xc9c08350, ftLastAccessTime.dwHighDateTime=0x1d5ee7c, ftLastWriteTime.dwLowDateTime=0xc9c08350, ftLastWriteTime.dwHighDateTime=0x1d5ee7c, nFileSizeHigh=0x0, nFileSizeLow=0x15422, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="7-b7TpTDMqbsz.pptx", cAlternateFileName="7-B7TP~1.PPT")) returned 1 [0104.690] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2=".") returned 1 [0104.690] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="..") returned 1 [0104.690] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="...") returned 1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="windows") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="$RECYCLE.BIN") returned 1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="rsa") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="NTDETECT.COM") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="ntldr") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="MSDOS.SYS") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="IO.SYS") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="boot.ini") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0104.691] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="ntuser.dat") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="desktop.ini") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="CONFIG.SYS") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="RECYCLER") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="BOOTSECT.BAK") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="bootmgr") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="programdata") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="appdata") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="program files") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="program files (x86)") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="microsoft") returned -1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="sophos") returned -1 [0104.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e900 [0104.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0104.692] PathFindExtensionW (pszPath="7-b7TpTDMqbsz.pptx") returned=".pptx" [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0104.692] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0104.692] lstrcmpiW (lpString1="7-b7TpTDMqbsz.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e998 [0104.693] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\7-b7TpTDMqbsz.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\7-b7tptdmqbsz.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0104.693] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=87074) returned 1 [0104.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0104.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.693] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0104.693] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.693] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be478*=0x100) returned 1 [0104.694] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be474*=0x100) returned 1 [0104.694] GetTickCount () returned 0x115b523 [0104.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0104.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0104.694] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15422, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.694] SetLastError (dwErrCode=0x0) [0104.694] WriteFile (in: hFile=0x274, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.695] GetLastError () returned 0x0 [0104.695] GetLastError () returned 0x0 [0104.695] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15522, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.695] WriteFile (in: hFile=0x274, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.695] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15622, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.695] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x396615a2, dwHighDateTime=0x1d5f971)) [0104.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.695] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.695] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0104.696] GetProcessHeap () returned 0xbc0000 [0104.696] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15422) returned 0xbf3640 [0104.696] GetSystemDefaultLangID () returned 0xbd0409 [0104.696] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.696] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x15422, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x15422, lpOverlapped=0x0) returned 1 [0104.704] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.704] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x15422, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x15422, lpOverlapped=0x0) returned 1 [0104.704] GetProcessHeap () returned 0xbc0000 [0104.704] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0104.704] CloseHandle (hObject=0x274) returned 1 [0104.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea30 [0104.704] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\7-b7TpTDMqbsz.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\7-b7tptdmqbsz.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\7-b7TpTDMqbsz.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\7-b7tptdmqbsz.pptx.nefilim")) returned 1 [0104.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea30 | out: hHeap=0x2680000) returned 1 [0104.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e998 | out: hHeap=0x2680000) returned 1 [0104.705] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9ef8db0, ftCreationTime.dwHighDateTime=0x1d5ec7b, ftLastAccessTime.dwLowDateTime=0x8f8f24a0, ftLastAccessTime.dwHighDateTime=0x1d5e9ab, ftLastWriteTime.dwLowDateTime=0x8f8f24a0, ftLastWriteTime.dwHighDateTime=0x1d5e9ab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="a5BsW-V", cAlternateFileName="")) returned 1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2=".") returned 1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="..") returned 1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="...") returned 1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="windows") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="$RECYCLE.BIN") returned 1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="rsa") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="NTDETECT.COM") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="ntldr") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="MSDOS.SYS") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="IO.SYS") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="boot.ini") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="AUTOEXEC.BAT") returned -1 [0104.705] lstrcmpiW (lpString1="a5BsW-V", lpString2="ntuser.dat") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="desktop.ini") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="CONFIG.SYS") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="RECYCLER") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="BOOTSECT.BAK") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="bootmgr") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="programdata") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="appdata") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="program files") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="program files (x86)") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="microsoft") returned -1 [0104.706] lstrcmpiW (lpString1="a5BsW-V", lpString2="sophos") returned -1 [0104.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e878 [0104.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e900 | out: hHeap=0x2680000) returned 1 [0104.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e900 [0104.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e988 [0104.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ea10 [0104.706] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9ef8db0, ftCreationTime.dwHighDateTime=0x1d5ec7b, ftLastAccessTime.dwLowDateTime=0x8f8f24a0, ftLastAccessTime.dwHighDateTime=0x1d5e9ab, ftLastWriteTime.dwLowDateTime=0x8f8f24a0, ftLastWriteTime.dwHighDateTime=0x1d5e9ab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e998, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2648 [0104.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0104.706] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc9ef8db0, ftCreationTime.dwHighDateTime=0x1d5ec7b, ftLastAccessTime.dwLowDateTime=0x8f8f24a0, ftLastAccessTime.dwHighDateTime=0x1d5e9ab, ftLastWriteTime.dwLowDateTime=0x8f8f24a0, ftLastWriteTime.dwHighDateTime=0x1d5e9ab, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0104.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0104.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0104.707] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3114a710, ftCreationTime.dwHighDateTime=0x1d5eacd, ftLastAccessTime.dwLowDateTime=0xffeafca0, ftLastAccessTime.dwHighDateTime=0x1d5eda3, ftLastWriteTime.dwLowDateTime=0xffeafca0, ftLastWriteTime.dwHighDateTime=0x1d5eda3, nFileSizeHigh=0x0, nFileSizeLow=0x3085, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="1O1.xls", cAlternateFileName="")) returned 1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2=".") returned 1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="..") returned 1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="...") returned 1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="windows") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="$RECYCLE.BIN") returned 1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="rsa") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="NTDETECT.COM") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="ntldr") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="MSDOS.SYS") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="IO.SYS") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="boot.ini") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="AUTOEXEC.BAT") returned -1 [0104.707] lstrcmpiW (lpString1="1O1.xls", lpString2="ntuser.dat") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="desktop.ini") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="CONFIG.SYS") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="RECYCLER") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="BOOTSECT.BAK") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="bootmgr") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="programdata") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="appdata") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="program files") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="program files (x86)") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="microsoft") returned -1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="sophos") returned -1 [0104.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268eaa8 [0104.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.708] PathFindExtensionW (pszPath="1O1.xls") returned=".xls" [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0104.708] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0104.708] lstrcmpiW (lpString1="1O1.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ea10 [0104.708] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\1O1.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\1o1.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.709] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=12421) returned 1 [0104.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0104.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.709] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0104.709] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.709] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.709] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.710] GetTickCount () returned 0x115b533 [0104.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0104.710] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0104.710] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3085, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.710] SetLastError (dwErrCode=0x0) [0104.710] WriteFile (in: hFile=0x278, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.711] GetLastError () returned 0x0 [0104.711] GetLastError () returned 0x0 [0104.711] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3185, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.711] WriteFile (in: hFile=0x278, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.711] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x3285, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3967d67a, dwHighDateTime=0x1d5f971)) [0104.711] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.711] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.711] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.711] GetProcessHeap () returned 0xbc0000 [0104.711] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3085) returned 0xbf4648 [0104.712] GetSystemDefaultLangID () returned 0xbd0409 [0104.712] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.712] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x3085, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x3085, lpOverlapped=0x0) returned 1 [0104.713] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.713] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x3085, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x3085, lpOverlapped=0x0) returned 1 [0104.713] GetProcessHeap () returned 0xbc0000 [0104.713] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.713] CloseHandle (hObject=0x278) returned 1 [0104.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0104.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.716] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eb40 [0104.716] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\1O1.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\1o1.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\1O1.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\1o1.xls.nefilim")) returned 1 [0104.717] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb40 | out: hHeap=0x2680000) returned 1 [0104.717] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.717] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4ea40e0, ftCreationTime.dwHighDateTime=0x1d5ed0e, ftLastAccessTime.dwLowDateTime=0x9a9f3af0, ftLastAccessTime.dwHighDateTime=0x1d5e2cc, ftLastWriteTime.dwLowDateTime=0x9a9f3af0, ftLastWriteTime.dwHighDateTime=0x1d5e2cc, nFileSizeHigh=0x0, nFileSizeLow=0x16e3c, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="7HnbJEQnjb3Tt.pdf", cAlternateFileName="7HNBJE~1.PDF")) returned 1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2=".") returned 1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="..") returned 1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="...") returned 1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="windows") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="$RECYCLE.BIN") returned 1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="rsa") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="NTDETECT.COM") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="ntldr") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="MSDOS.SYS") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="IO.SYS") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="boot.ini") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="AUTOEXEC.BAT") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="ntuser.dat") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="desktop.ini") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="CONFIG.SYS") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="RECYCLER") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="BOOTSECT.BAK") returned -1 [0104.717] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="bootmgr") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="programdata") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="appdata") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="program files") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="program files (x86)") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="microsoft") returned -1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="sophos") returned -1 [0104.718] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eb40 [0104.718] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eaa8 | out: hHeap=0x2680000) returned 1 [0104.718] PathFindExtensionW (pszPath="7HnbJEQnjb3Tt.pdf") returned=".pdf" [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".NEFILIM") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0104.718] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0104.718] lstrcmpiW (lpString1="7HnbJEQnjb3Tt.pdf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.718] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.718] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\7HnbJEQnjb3Tt.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\7hnbjeqnjb3tt.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.718] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=93756) returned 1 [0104.718] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.718] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.718] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.719] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.719] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.719] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0104.719] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.719] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.720] GetTickCount () returned 0x115b533 [0104.720] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0104.720] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0104.720] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16e3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.720] SetLastError (dwErrCode=0x0) [0104.720] WriteFile (in: hFile=0x278, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.721] GetLastError () returned 0x0 [0104.721] GetLastError () returned 0x0 [0104.721] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16f3c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.721] WriteFile (in: hFile=0x278, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.722] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1703c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.722] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3967d67a, dwHighDateTime=0x1d5f971)) [0104.722] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.722] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.722] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.722] GetProcessHeap () returned 0xbc0000 [0104.722] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16e3c) returned 0xbf4648 [0104.722] GetSystemDefaultLangID () returned 0xbd0409 [0104.722] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.722] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x16e3c, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x16e3c, lpOverlapped=0x0) returned 1 [0104.785] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.785] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x16e3c, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x16e3c, lpOverlapped=0x0) returned 1 [0104.785] GetProcessHeap () returned 0xbc0000 [0104.786] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.786] CloseHandle (hObject=0x278) returned 1 [0104.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0104.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ebe8 [0104.786] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\7HnbJEQnjb3Tt.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\7hnbjeqnjb3tt.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\7HnbJEQnjb3Tt.pdf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\7hnbjeqnjb3tt.pdf.nefilim")) returned 1 [0104.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebe8 | out: hHeap=0x2680000) returned 1 [0104.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.787] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9f7341b0, ftCreationTime.dwHighDateTime=0x1d5e5c0, ftLastAccessTime.dwLowDateTime=0x6e542100, ftLastAccessTime.dwHighDateTime=0x1d5e325, ftLastWriteTime.dwLowDateTime=0x6e542100, ftLastWriteTime.dwHighDateTime=0x1d5e325, nFileSizeHigh=0x0, nFileSizeLow=0x141f6, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="aoHb O6.rtf", cAlternateFileName="AOHBO6~1.RTF")) returned 1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2=".") returned 1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="..") returned 1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="...") returned 1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="windows") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="$RECYCLE.BIN") returned 1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="rsa") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="NTDETECT.COM") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="ntldr") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="MSDOS.SYS") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="IO.SYS") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="boot.ini") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="AUTOEXEC.BAT") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="ntuser.dat") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="desktop.ini") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="CONFIG.SYS") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="RECYCLER") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="BOOTSECT.BAK") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="bootmgr") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="programdata") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="appdata") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="program files") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="program files (x86)") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="microsoft") returned -1 [0104.787] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="sophos") returned -1 [0104.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb40 | out: hHeap=0x2680000) returned 1 [0104.787] PathFindExtensionW (pszPath="aoHb O6.rtf") returned=".rtf" [0104.787] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0104.788] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0104.788] lstrcmpiW (lpString1="aoHb O6.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eab8 [0104.788] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\aoHb O6.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\aohb o6.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.788] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=82422) returned 1 [0104.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0104.788] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.788] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0104.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.788] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.789] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.789] GetTickCount () returned 0x115b581 [0104.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0104.789] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0104.789] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x141f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.789] SetLastError (dwErrCode=0x0) [0104.789] WriteFile (in: hFile=0x278, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.790] GetLastError () returned 0x0 [0104.790] GetLastError () returned 0x0 [0104.790] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x142f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.790] WriteFile (in: hFile=0x278, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.790] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x143f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.790] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3973c81f, dwHighDateTime=0x1d5f971)) [0104.790] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.790] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.790] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.790] GetProcessHeap () returned 0xbc0000 [0104.790] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x141f6) returned 0xbf4648 [0104.790] GetSystemDefaultLangID () returned 0xbd0409 [0104.790] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.790] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x141f6, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x141f6, lpOverlapped=0x0) returned 1 [0104.794] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.794] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x141f6, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x141f6, lpOverlapped=0x0) returned 1 [0104.794] GetProcessHeap () returned 0xbc0000 [0104.794] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.795] CloseHandle (hObject=0x278) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0104.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.795] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\aoHb O6.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\aohb o6.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\aoHb O6.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\aohb o6.rtf.nefilim")) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.795] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0104.795] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7e11fb0, ftCreationTime.dwHighDateTime=0x1d5ee7b, ftLastAccessTime.dwLowDateTime=0x837031f0, ftLastAccessTime.dwHighDateTime=0x1d5e76c, ftLastWriteTime.dwLowDateTime=0x837031f0, ftLastWriteTime.dwHighDateTime=0x1d5e76c, nFileSizeHigh=0x0, nFileSizeLow=0x16a7b, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="daTN2Zo-QB.rtf", cAlternateFileName="DATN2Z~1.RTF")) returned 1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2=".") returned 1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="..") returned 1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="...") returned 1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="windows") returned -1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="$RECYCLE.BIN") returned 1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="rsa") returned -1 [0104.795] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="NTDETECT.COM") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="ntldr") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="MSDOS.SYS") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="IO.SYS") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="boot.ini") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="ntuser.dat") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="desktop.ini") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="CONFIG.SYS") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="RECYCLER") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="BOOTSECT.BAK") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="bootmgr") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="programdata") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="appdata") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="program files") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="program files (x86)") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="microsoft") returned -1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="sophos") returned -1 [0104.796] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eab8 [0104.796] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.796] PathFindExtensionW (pszPath="daTN2Zo-QB.rtf") returned=".rtf" [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0104.796] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0104.796] lstrcmpiW (lpString1="daTN2Zo-QB.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.796] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.797] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\daTN2Zo-QB.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\datn2zo-qb.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.797] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=92795) returned 1 [0104.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.797] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.797] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.797] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.797] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.797] GetTickCount () returned 0x115b581 [0104.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0104.797] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0104.797] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16a7b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.797] SetLastError (dwErrCode=0x0) [0104.797] WriteFile (in: hFile=0x278, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.798] GetLastError () returned 0x0 [0104.798] GetLastError () returned 0x0 [0104.798] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16b7b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.798] WriteFile (in: hFile=0x278, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.798] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x16c7b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.798] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3973c81f, dwHighDateTime=0x1d5f971)) [0104.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.798] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.799] GetProcessHeap () returned 0xbc0000 [0104.799] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16a7b) returned 0xbf4648 [0104.799] GetSystemDefaultLangID () returned 0xbd0409 [0104.799] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.799] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x16a7b, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x16a7b, lpOverlapped=0x0) returned 1 [0104.804] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.804] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x16a7b, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x16a7b, lpOverlapped=0x0) returned 1 [0104.804] GetProcessHeap () returned 0xbc0000 [0104.804] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.804] CloseHandle (hObject=0x278) returned 1 [0104.804] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0104.804] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.804] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.804] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.804] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.804] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\daTN2Zo-QB.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\datn2zo-qb.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\daTN2Zo-QB.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\datn2zo-qb.rtf.nefilim")) returned 1 [0104.805] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.805] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.805] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1ed60, ftCreationTime.dwHighDateTime=0x1d5e2c4, ftLastAccessTime.dwLowDateTime=0x60066da0, ftLastAccessTime.dwHighDateTime=0x1d5ef6f, ftLastWriteTime.dwLowDateTime=0x60066da0, ftLastWriteTime.dwHighDateTime=0x1d5ef6f, nFileSizeHigh=0x0, nFileSizeLow=0x15274, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="KLxeMpQqjI.ppt", cAlternateFileName="KLXEMP~1.PPT")) returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2=".") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="..") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="...") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="windows") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="$RECYCLE.BIN") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="rsa") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="NTDETECT.COM") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="ntldr") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="MSDOS.SYS") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="IO.SYS") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="boot.ini") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="ntuser.dat") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="desktop.ini") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="CONFIG.SYS") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="RECYCLER") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="BOOTSECT.BAK") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="bootmgr") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="programdata") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="appdata") returned 1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="program files") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="program files (x86)") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="microsoft") returned -1 [0104.805] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="sophos") returned -1 [0104.805] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.805] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0104.805] PathFindExtensionW (pszPath="KLxeMpQqjI.ppt") returned=".ppt" [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0104.805] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0104.806] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0104.806] lstrcmpiW (lpString1="KLxeMpQqjI.ppt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eab8 [0104.806] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\KLxeMpQqjI.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\klxempqqji.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.806] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=86644) returned 1 [0104.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.806] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.806] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.806] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.806] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.807] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.808] GetTickCount () returned 0x115b591 [0104.808] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0104.808] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0104.808] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15274, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.808] SetLastError (dwErrCode=0x0) [0104.808] WriteFile (in: hFile=0x278, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.809] GetLastError () returned 0x0 [0104.809] GetLastError () returned 0x0 [0104.809] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15374, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.809] WriteFile (in: hFile=0x278, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.809] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15474, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.809] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x397629bf, dwHighDateTime=0x1d5f971)) [0104.809] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.809] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.809] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.809] GetProcessHeap () returned 0xbc0000 [0104.809] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15274) returned 0xbf4648 [0104.809] GetSystemDefaultLangID () returned 0xbd0409 [0104.809] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.809] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x15274, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x15274, lpOverlapped=0x0) returned 1 [0104.814] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.814] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x15274, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x15274, lpOverlapped=0x0) returned 1 [0104.814] GetProcessHeap () returned 0xbc0000 [0104.814] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.815] CloseHandle (hObject=0x278) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.815] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\KLxeMpQqjI.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\klxempqqji.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\KLxeMpQqjI.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\klxempqqji.ppt.nefilim")) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.815] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0104.815] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c59260, ftCreationTime.dwHighDateTime=0x1d5e9f5, ftLastAccessTime.dwLowDateTime=0xf44ccb30, ftLastAccessTime.dwHighDateTime=0x1d5e80d, ftLastWriteTime.dwLowDateTime=0xf44ccb30, ftLastWriteTime.dwHighDateTime=0x1d5e80d, nFileSizeHigh=0x0, nFileSizeLow=0x15c97, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="tV88 PXS8.ods", cAlternateFileName="TV88PX~1.ODS")) returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2=".") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="..") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="...") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="windows") returned -1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="$RECYCLE.BIN") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="rsa") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="NTDETECT.COM") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="ntldr") returned 1 [0104.815] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="MSDOS.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="IO.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="boot.ini") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="AUTOEXEC.BAT") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="ntuser.dat") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="desktop.ini") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="CONFIG.SYS") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="RECYCLER") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="BOOTSECT.BAK") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="bootmgr") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="programdata") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="appdata") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="program files") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="program files (x86)") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="microsoft") returned 1 [0104.816] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="sophos") returned 1 [0104.816] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eab8 [0104.816] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.816] PathFindExtensionW (pszPath="tV88 PXS8.ods") returned=".ods" [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0104.816] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0104.877] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0104.877] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0104.877] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0104.877] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0104.877] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0104.877] lstrcmpiW (lpString1="tV88 PXS8.ods", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.877] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.877] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\tV88 PXS8.ods" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\tv88 pxs8.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.877] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=89239) returned 1 [0104.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.878] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.878] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0104.878] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.878] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.878] GetTickCount () returned 0x115b5cf [0104.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0104.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0104.878] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15c97, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.878] SetLastError (dwErrCode=0x0) [0104.878] WriteFile (in: hFile=0x278, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.880] GetLastError () returned 0x0 [0104.880] GetLastError () returned 0x0 [0104.880] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15d97, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.880] WriteFile (in: hFile=0x278, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.880] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15e97, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.880] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x39821581, dwHighDateTime=0x1d5f971)) [0104.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.880] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.880] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.880] GetProcessHeap () returned 0xbc0000 [0104.880] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15c97) returned 0xbf4648 [0104.880] GetSystemDefaultLangID () returned 0xbd0409 [0104.880] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.880] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x15c97, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x15c97, lpOverlapped=0x0) returned 1 [0104.885] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.885] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x15c97, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x15c97, lpOverlapped=0x0) returned 1 [0104.885] GetProcessHeap () returned 0xbc0000 [0104.885] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.885] CloseHandle (hObject=0x278) returned 1 [0104.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0104.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.885] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\tV88 PXS8.ods" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\tv88 pxs8.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\tV88 PXS8.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\tv88 pxs8.ods.nefilim")) returned 1 [0104.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.886] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.886] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xac8f1f90, ftCreationTime.dwHighDateTime=0x1d5e45d, ftLastAccessTime.dwLowDateTime=0x7bc34290, ftLastAccessTime.dwHighDateTime=0x1d5eef5, ftLastWriteTime.dwLowDateTime=0x7bc34290, ftLastWriteTime.dwHighDateTime=0x1d5eef5, nFileSizeHigh=0x0, nFileSizeLow=0x18f3f, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="UtUiEQOfn_Afd7Kz.pptx", cAlternateFileName="UTUIEQ~1.PPT")) returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2=".") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="..") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="...") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="windows") returned -1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="$RECYCLE.BIN") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="rsa") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="NTDETECT.COM") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="ntldr") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="MSDOS.SYS") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="IO.SYS") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="boot.ini") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="ntuser.dat") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="desktop.ini") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="CONFIG.SYS") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="RECYCLER") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="BOOTSECT.BAK") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="bootmgr") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="programdata") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="appdata") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="program files") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="program files (x86)") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="microsoft") returned 1 [0104.886] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="sophos") returned 1 [0104.886] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.887] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0104.887] PathFindExtensionW (pszPath="UtUiEQOfn_Afd7Kz.pptx") returned=".pptx" [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0104.887] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0104.887] lstrcmpiW (lpString1="UtUiEQOfn_Afd7Kz.pptx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea10 [0104.887] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\UtUiEQOfn_Afd7Kz.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\utuieqofn_afd7kz.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.887] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=102207) returned 1 [0104.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0104.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.887] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0104.887] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.887] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.887] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.888] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.890] GetTickCount () returned 0x115b5df [0104.890] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0104.890] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0104.890] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x18f3f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.890] SetLastError (dwErrCode=0x0) [0104.890] WriteFile (in: hFile=0x278, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.891] GetLastError () returned 0x0 [0104.891] GetLastError () returned 0x0 [0104.891] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1903f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.891] WriteFile (in: hFile=0x278, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.891] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1913f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.891] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x39821581, dwHighDateTime=0x1d5f971)) [0104.891] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.891] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.891] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.891] GetProcessHeap () returned 0xbc0000 [0104.891] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18f3f) returned 0xbf4648 [0104.892] GetSystemDefaultLangID () returned 0xbd0409 [0104.892] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.892] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x18f3f, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x18f3f, lpOverlapped=0x0) returned 1 [0104.900] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.900] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x18f3f, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x18f3f, lpOverlapped=0x0) returned 1 [0104.901] GetProcessHeap () returned 0xbc0000 [0104.901] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.901] CloseHandle (hObject=0x278) returned 1 [0104.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.901] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.901] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ec18 [0104.901] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\UtUiEQOfn_Afd7Kz.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\utuieqofn_afd7kz.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\UtUiEQOfn_Afd7Kz.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\utuieqofn_afd7kz.pptx.nefilim")) returned 1 [0104.902] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec18 | out: hHeap=0x2680000) returned 1 [0104.902] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.902] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeab1d920, ftCreationTime.dwHighDateTime=0x1d5eb51, ftLastAccessTime.dwLowDateTime=0x76ebd260, ftLastAccessTime.dwHighDateTime=0x1d5e87d, ftLastWriteTime.dwLowDateTime=0x76ebd260, ftLastWriteTime.dwHighDateTime=0x1d5e87d, nFileSizeHigh=0x0, nFileSizeLow=0x131b2, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="W6eT_Mr0wS1W9.docx", cAlternateFileName="W6ET_M~1.DOC")) returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2=".") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="..") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="...") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="windows") returned -1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="rsa") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="NTDETECT.COM") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="ntldr") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="MSDOS.SYS") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="IO.SYS") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="boot.ini") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="AUTOEXEC.BAT") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="ntuser.dat") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="desktop.ini") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="CONFIG.SYS") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="RECYCLER") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="BOOTSECT.BAK") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="bootmgr") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="programdata") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="appdata") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="program files") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="program files (x86)") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="microsoft") returned 1 [0104.902] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="sophos") returned 1 [0104.902] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea10 [0104.902] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.903] PathFindExtensionW (pszPath="W6eT_Mr0wS1W9.docx") returned=".docx" [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.903] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.903] lstrcmpiW (lpString1="W6eT_Mr0wS1W9.docx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eab8 [0104.903] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\W6eT_Mr0wS1W9.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\w6et_mr0ws1w9.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0104.903] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=78258) returned 1 [0104.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0104.903] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.903] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0104.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0104.903] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be158*=0x100) returned 1 [0104.904] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be154*=0x100) returned 1 [0104.905] GetTickCount () returned 0x115b5ee [0104.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0104.905] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0104.905] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x131b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.905] SetLastError (dwErrCode=0x0) [0104.905] WriteFile (in: hFile=0x278, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.906] GetLastError () returned 0x0 [0104.906] GetLastError () returned 0x0 [0104.906] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x132b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.906] WriteFile (in: hFile=0x278, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0104.906] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x133b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.906] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x39847941, dwHighDateTime=0x1d5f971)) [0104.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.907] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.907] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0104.907] GetProcessHeap () returned 0xbc0000 [0104.907] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x131b2) returned 0xbf4648 [0104.907] GetSystemDefaultLangID () returned 0xbd0409 [0104.907] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.907] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x131b2, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x131b2, lpOverlapped=0x0) returned 1 [0104.911] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.911] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x131b2, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x131b2, lpOverlapped=0x0) returned 1 [0104.911] GetProcessHeap () returned 0xbc0000 [0104.911] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0104.912] CloseHandle (hObject=0x278) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0104.912] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eb60 [0104.912] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\W6eT_Mr0wS1W9.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\w6et_mr0ws1w9.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\a5BsW-V\\W6eT_Mr0wS1W9.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\a5bsw-v\\w6et_mr0ws1w9.docx.nefilim")) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0104.912] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeab1d920, ftCreationTime.dwHighDateTime=0x1d5eb51, ftLastAccessTime.dwLowDateTime=0x76ebd260, ftLastAccessTime.dwHighDateTime=0x1d5e87d, ftLastWriteTime.dwLowDateTime=0x76ebd260, ftLastWriteTime.dwHighDateTime=0x1d5e87d, nFileSizeHigh=0x0, nFileSizeLow=0x131b2, dwReserved0=0x268e998, dwReserved1=0x0, cFileName="W6eT_Mr0wS1W9.docx", cAlternateFileName="W6ET_M~1.DOC")) returned 0 [0104.912] FindClose (in: hFindFile=0xbe2648 | out: hFindFile=0xbe2648) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e988 | out: hHeap=0x2680000) returned 1 [0104.912] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e900 | out: hHeap=0x2680000) returned 1 [0104.912] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7f60e70, ftCreationTime.dwHighDateTime=0x1d5e2e2, ftLastAccessTime.dwLowDateTime=0xa400ba30, ftLastAccessTime.dwHighDateTime=0x1d5e1bc, ftLastWriteTime.dwLowDateTime=0xa400ba30, ftLastWriteTime.dwHighDateTime=0x1d5e1bc, nFileSizeHigh=0x0, nFileSizeLow=0x17d10, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="crzAH5grLs86thCh.pps", cAlternateFileName="CRZAH5~1.PPS")) returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2=".") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="..") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="...") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="windows") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="$RECYCLE.BIN") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="rsa") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="NTDETECT.COM") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="ntldr") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="MSDOS.SYS") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="IO.SYS") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="boot.ini") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="AUTOEXEC.BAT") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="ntuser.dat") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="desktop.ini") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="CONFIG.SYS") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="RECYCLER") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="BOOTSECT.BAK") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="bootmgr") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="programdata") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="appdata") returned 1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="program files") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="program files (x86)") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="microsoft") returned -1 [0104.913] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="sophos") returned -1 [0104.913] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e900 [0104.913] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0104.913] PathFindExtensionW (pszPath="crzAH5grLs86thCh.pps") returned=".pps" [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0104.913] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0104.914] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0104.914] lstrcmpiW (lpString1="crzAH5grLs86thCh.pps", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9a8 [0104.914] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\crzAH5grLs86thCh.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\crzah5grls86thch.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0104.914] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=97552) returned 1 [0104.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0104.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.914] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0104.914] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0104.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.914] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x100) returned 1 [0104.915] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0104.916] GetTickCount () returned 0x115b5fe [0104.916] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0104.916] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0104.916] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17d10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.916] SetLastError (dwErrCode=0x0) [0104.916] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.917] GetLastError () returned 0x0 [0104.917] GetLastError () returned 0x0 [0104.917] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17e10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.917] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17f10, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3986daa8, dwHighDateTime=0x1d5f971)) [0104.917] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.917] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.917] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0104.917] GetProcessHeap () returned 0xbc0000 [0104.917] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x17d10) returned 0xbf3640 [0104.917] GetSystemDefaultLangID () returned 0xbd0409 [0104.917] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.917] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x17d10, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x17d10, lpOverlapped=0x0) returned 1 [0104.923] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.923] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x17d10, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x17d10, lpOverlapped=0x0) returned 1 [0104.923] GetProcessHeap () returned 0xbc0000 [0104.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0104.923] CloseHandle (hObject=0x274) returned 1 [0104.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0104.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0104.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea50 [0104.924] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\crzAH5grLs86thCh.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\crzah5grls86thch.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\crzAH5grLs86thCh.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\crzah5grls86thch.pps.nefilim")) returned 1 [0104.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea50 | out: hHeap=0x2680000) returned 1 [0104.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9a8 | out: hHeap=0x2680000) returned 1 [0104.924] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8eab93b0, ftCreationTime.dwHighDateTime=0x1d5e740, ftLastAccessTime.dwLowDateTime=0x35198c70, ftLastAccessTime.dwHighDateTime=0x1d5ee0d, ftLastWriteTime.dwLowDateTime=0x35198c70, ftLastWriteTime.dwHighDateTime=0x1d5ee0d, nFileSizeHigh=0x0, nFileSizeLow=0x6d27, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="gFwPr.docx", cAlternateFileName="GFWPR~1.DOC")) returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2=".") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="..") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="...") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="windows") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="$RECYCLE.BIN") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="rsa") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="NTDETECT.COM") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="ntldr") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="MSDOS.SYS") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="IO.SYS") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="boot.ini") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="AUTOEXEC.BAT") returned 1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="ntuser.dat") returned -1 [0104.924] lstrcmpiW (lpString1="gFwPr.docx", lpString2="desktop.ini") returned 1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="CONFIG.SYS") returned 1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="RECYCLER") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="BOOTSECT.BAK") returned 1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="bootmgr") returned 1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="programdata") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="appdata") returned 1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="program files") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="program files (x86)") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="microsoft") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="sophos") returned -1 [0104.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e878 [0104.925] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e900 | out: hHeap=0x2680000) returned 1 [0104.925] PathFindExtensionW (pszPath="gFwPr.docx") returned=".docx" [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0104.925] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0104.925] lstrcmpiW (lpString1="gFwPr.docx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e900 [0104.925] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\gFwPr.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\gfwpr.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0104.926] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=27943) returned 1 [0104.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0104.926] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.926] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0104.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0104.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.978] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be478*=0x100) returned 1 [0104.978] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0104.978] GetTickCount () returned 0x115b63d [0104.978] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0104.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0104.978] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6d27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.978] SetLastError (dwErrCode=0x0) [0104.978] WriteFile (in: hFile=0x274, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.979] GetLastError () returned 0x0 [0104.979] GetLastError () returned 0x0 [0104.979] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6e27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.979] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.979] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6f27, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.979] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3990639a, dwHighDateTime=0x1d5f971)) [0104.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.979] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0104.980] GetProcessHeap () returned 0xbc0000 [0104.980] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x6d27) returned 0xbf3640 [0104.980] GetSystemDefaultLangID () returned 0xbd0409 [0104.980] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.980] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x6d27, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x6d27, lpOverlapped=0x0) returned 1 [0104.981] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.981] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x6d27, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x6d27, lpOverlapped=0x0) returned 1 [0104.981] GetProcessHeap () returned 0xbc0000 [0104.981] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0104.982] CloseHandle (hObject=0x274) returned 1 [0104.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0104.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0104.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e988 [0104.982] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\gFwPr.docx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\gfwpr.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\gFwPr.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\gfwpr.docx.nefilim")) returned 1 [0104.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e988 | out: hHeap=0x2680000) returned 1 [0104.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e900 | out: hHeap=0x2680000) returned 1 [0104.983] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4669dfb0, ftCreationTime.dwHighDateTime=0x1d5ea4e, ftLastAccessTime.dwLowDateTime=0x17984dd0, ftLastAccessTime.dwHighDateTime=0x1d5e6c9, ftLastWriteTime.dwLowDateTime=0x17984dd0, ftLastWriteTime.dwHighDateTime=0x1d5e6c9, nFileSizeHigh=0x0, nFileSizeLow=0x79eb, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="HifKtY4vMx7jh.rtf", cAlternateFileName="HIFKTY~1.RTF")) returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2=".") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="..") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="...") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="windows") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="$RECYCLE.BIN") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="rsa") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="NTDETECT.COM") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="ntldr") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="MSDOS.SYS") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="IO.SYS") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="boot.ini") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="ntuser.dat") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="desktop.ini") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="CONFIG.SYS") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="RECYCLER") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="BOOTSECT.BAK") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="bootmgr") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="programdata") returned -1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="appdata") returned 1 [0104.983] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="program files") returned -1 [0104.984] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="program files (x86)") returned -1 [0104.984] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="microsoft") returned -1 [0104.984] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="sophos") returned -1 [0104.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e900 [0104.984] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0104.984] PathFindExtensionW (pszPath="HifKtY4vMx7jh.rtf") returned=".rtf" [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0104.984] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0104.984] lstrcmpiW (lpString1="HifKtY4vMx7jh.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0104.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e998 [0104.984] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\HifKtY4vMx7jh.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\hifkty4vmx7jh.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0104.984] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=31211) returned 1 [0104.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0104.984] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.984] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0104.985] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0104.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0104.985] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x100) returned 1 [0104.985] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be474*=0x100) returned 1 [0104.986] GetTickCount () returned 0x115b63d [0104.986] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0104.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0104.986] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x79eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.986] SetLastError (dwErrCode=0x0) [0104.986] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.987] GetLastError () returned 0x0 [0104.987] GetLastError () returned 0x0 [0104.987] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7aeb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.987] WriteFile (in: hFile=0x274, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.987] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7beb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.987] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3990639a, dwHighDateTime=0x1d5f971)) [0104.987] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.987] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.987] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0104.987] GetProcessHeap () returned 0xbc0000 [0104.987] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x79eb) returned 0xbf3640 [0104.987] GetSystemDefaultLangID () returned 0xbd0409 [0104.987] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.987] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x79eb, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x79eb, lpOverlapped=0x0) returned 1 [0104.989] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.989] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x79eb, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x79eb, lpOverlapped=0x0) returned 1 [0104.989] GetProcessHeap () returned 0xbc0000 [0104.989] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0104.989] CloseHandle (hObject=0x274) returned 1 [0104.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0104.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0104.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0104.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0104.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ea30 [0104.990] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\HifKtY4vMx7jh.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\hifkty4vmx7jh.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\HifKtY4vMx7jh.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\hifkty4vmx7jh.rtf.nefilim")) returned 1 [0104.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea30 | out: hHeap=0x2680000) returned 1 [0104.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e998 | out: hHeap=0x2680000) returned 1 [0104.990] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1b345fe0, ftCreationTime.dwHighDateTime=0x1d5ec25, ftLastAccessTime.dwLowDateTime=0xd9bc56b0, ftLastAccessTime.dwHighDateTime=0x1d5e997, ftLastWriteTime.dwLowDateTime=0xd9bc56b0, ftLastWriteTime.dwHighDateTime=0x1d5e997, nFileSizeHigh=0x0, nFileSizeLow=0x16317, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="nPY2-4sQ16eObH9gXrO.xls", cAlternateFileName="NPY2-4~1.XLS")) returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2=".") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="..") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="...") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="windows") returned -1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="$RECYCLE.BIN") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="rsa") returned -1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="NTDETECT.COM") returned -1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="ntldr") returned -1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="MSDOS.SYS") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="IO.SYS") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="boot.ini") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="AUTOEXEC.BAT") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="ntuser.dat") returned -1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="desktop.ini") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="CONFIG.SYS") returned 1 [0104.990] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="RECYCLER") returned -1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="BOOTSECT.BAK") returned 1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="bootmgr") returned 1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="programdata") returned -1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="appdata") returned 1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="program files") returned -1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="program files (x86)") returned -1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="microsoft") returned 1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="sophos") returned -1 [0104.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e998 [0104.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e900 | out: hHeap=0x2680000) returned 1 [0104.991] PathFindExtensionW (pszPath="nPY2-4sQ16eObH9gXrO.xls") returned=".xls" [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0104.991] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0104.991] lstrcmpiW (lpString1="nPY2-4sQ16eObH9gXrO.xls", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0104.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e878 [0104.991] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\nPY2-4sQ16eObH9gXrO.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\npy2-4sq16eobh9gxro.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0104.992] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=90903) returned 1 [0104.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0104.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0104.992] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0104.992] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0104.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0104.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0104.992] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x100) returned 1 [0104.992] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be474*=0x100) returned 1 [0104.993] GetTickCount () returned 0x115b64c [0104.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0104.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0104.993] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16317, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.993] SetLastError (dwErrCode=0x0) [0104.993] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.994] GetLastError () returned 0x0 [0104.994] GetLastError () returned 0x0 [0104.994] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16417, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.994] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0104.994] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x16517, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.994] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3992c648, dwHighDateTime=0x1d5f971)) [0104.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0104.994] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0104.994] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0104.994] GetProcessHeap () returned 0xbc0000 [0104.994] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16317) returned 0xbf3640 [0104.994] GetSystemDefaultLangID () returned 0xbd0409 [0104.994] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0104.994] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x16317, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x16317, lpOverlapped=0x0) returned 1 [0105.000] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.000] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x16317, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x16317, lpOverlapped=0x0) returned 1 [0105.001] GetProcessHeap () returned 0xbc0000 [0105.001] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.001] CloseHandle (hObject=0x274) returned 1 [0105.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0105.001] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.001] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea40 [0105.001] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\nPY2-4sQ16eObH9gXrO.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\npy2-4sq16eobh9gxro.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\nPY2-4sQ16eObH9gXrO.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\npy2-4sq16eobh9gxro.xls.nefilim")) returned 1 [0105.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea40 | out: hHeap=0x2680000) returned 1 [0105.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.002] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33431af0, ftCreationTime.dwHighDateTime=0x1d5e49a, ftLastAccessTime.dwLowDateTime=0x46af4ef0, ftLastAccessTime.dwHighDateTime=0x1d5eef5, ftLastWriteTime.dwLowDateTime=0x46af4ef0, ftLastWriteTime.dwHighDateTime=0x1d5eef5, nFileSizeHigh=0x0, nFileSizeLow=0xe94b, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="ns7qNFld5OGW273.ods", cAlternateFileName="NS7QNF~1.ODS")) returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2=".") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="..") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="...") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="windows") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="$RECYCLE.BIN") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="rsa") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="NTDETECT.COM") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="ntldr") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="MSDOS.SYS") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="IO.SYS") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="boot.ini") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="AUTOEXEC.BAT") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="ntuser.dat") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="desktop.ini") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="CONFIG.SYS") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="RECYCLER") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="BOOTSECT.BAK") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="bootmgr") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="programdata") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="appdata") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="program files") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="program files (x86)") returned -1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="microsoft") returned 1 [0105.002] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="sophos") returned -1 [0105.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e878 [0105.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e998 | out: hHeap=0x2680000) returned 1 [0105.003] PathFindExtensionW (pszPath="ns7qNFld5OGW273.ods") returned=".ods" [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".exe") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".log") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".cab") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".cmd") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".com") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".cpl") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".ini") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".dll") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".url") returned -1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".ttf") returned -1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".mp3") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".pif") returned -1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".mp4") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".NEFILIM") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".msi") returned 1 [0105.003] lstrcmpiW (lpString1=".ods", lpString2=".lnk") returned 1 [0105.003] lstrcmpiW (lpString1="ns7qNFld5OGW273.ods", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e920 [0105.003] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ns7qNFld5OGW273.ods" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ns7qnfld5ogw273.ods"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.003] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=59723) returned 1 [0105.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.003] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.003] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.003] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.003] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.005] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.006] GetTickCount () returned 0x115b65c [0105.006] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0105.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0105.006] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe94b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.006] SetLastError (dwErrCode=0x0) [0105.006] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.006] GetLastError () returned 0x0 [0105.006] GetLastError () returned 0x0 [0105.006] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xea4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.007] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.007] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xeb4b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.007] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3995286c, dwHighDateTime=0x1d5f971)) [0105.007] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0105.007] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0105.007] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.007] GetProcessHeap () returned 0xbc0000 [0105.007] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe94b) returned 0xbf3640 [0105.007] GetSystemDefaultLangID () returned 0xbd0409 [0105.007] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.007] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xe94b, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xe94b, lpOverlapped=0x0) returned 1 [0105.010] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.010] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xe94b, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xe94b, lpOverlapped=0x0) returned 1 [0105.010] GetProcessHeap () returned 0xbc0000 [0105.011] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.011] CloseHandle (hObject=0x274) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.011] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9c8 [0105.011] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ns7qNFld5OGW273.ods" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ns7qnfld5ogw273.ods"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ns7qNFld5OGW273.ods.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ns7qnfld5ogw273.ods.nefilim")) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0105.011] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.011] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x27e3be50, ftCreationTime.dwHighDateTime=0x1d5e5f6, ftLastAccessTime.dwLowDateTime=0x934ba380, ftLastAccessTime.dwHighDateTime=0x1d5f116, ftLastWriteTime.dwLowDateTime=0x934ba380, ftLastWriteTime.dwHighDateTime=0x1d5f116, nFileSizeHigh=0x0, nFileSizeLow=0xf051, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="yoA_a0g9KJLKby8.ppt", cAlternateFileName="YOA_A0~1.PPT")) returned 1 [0105.011] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2=".") returned 1 [0105.011] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="..") returned 1 [0105.011] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="...") returned 1 [0105.011] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="windows") returned 1 [0105.011] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="$RECYCLE.BIN") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="rsa") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="NTDETECT.COM") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="ntldr") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="MSDOS.SYS") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="IO.SYS") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="boot.ini") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="ntuser.dat") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="desktop.ini") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="CONFIG.SYS") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="RECYCLER") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="BOOTSECT.BAK") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="bootmgr") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="programdata") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="appdata") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="program files") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="program files (x86)") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="microsoft") returned 1 [0105.012] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="sophos") returned 1 [0105.012] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e920 [0105.012] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.012] PathFindExtensionW (pszPath="yoA_a0g9KJLKby8.ppt") returned=".ppt" [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0105.012] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0105.013] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0105.013] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0105.013] lstrcmpiW (lpString1="yoA_a0g9KJLKby8.ppt", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e878 [0105.013] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\yoA_a0g9KJLKby8.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\yoa_a0g9kjlkby8.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.013] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=61521) returned 1 [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.013] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.013] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.013] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.013] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.013] GetTickCount () returned 0x115b65c [0105.013] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0105.014] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0105.014] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf051, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.014] SetLastError (dwErrCode=0x0) [0105.014] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.014] GetLastError () returned 0x0 [0105.014] GetLastError () returned 0x0 [0105.014] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf151, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.014] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.015] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf251, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.015] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3995286c, dwHighDateTime=0x1d5f971)) [0105.015] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0105.015] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0105.015] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.015] GetProcessHeap () returned 0xbc0000 [0105.015] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf051) returned 0xbf3640 [0105.015] GetSystemDefaultLangID () returned 0xbd0409 [0105.015] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.015] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xf051, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xf051, lpOverlapped=0x0) returned 1 [0105.018] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.018] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xf051, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xf051, lpOverlapped=0x0) returned 1 [0105.018] GetProcessHeap () returned 0xbc0000 [0105.018] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.018] CloseHandle (hObject=0x274) returned 1 [0105.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.018] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9c8 [0105.018] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\yoA_a0g9KJLKby8.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\yoa_a0g9kjlkby8.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\yoA_a0g9KJLKby8.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\yoa_a0g9kjlkby8.ppt.nefilim")) returned 1 [0105.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0105.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.019] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcea80e30, ftCreationTime.dwHighDateTime=0x1d5e650, ftLastAccessTime.dwLowDateTime=0x9c2e53a0, ftLastAccessTime.dwHighDateTime=0x1d5e151, ftLastWriteTime.dwLowDateTime=0x9c2e53a0, ftLastWriteTime.dwHighDateTime=0x1d5e151, nFileSizeHigh=0x0, nFileSizeLow=0x13473, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="ZTV3hoTaOLFU_EKLZcR.ots", cAlternateFileName="ZTV3HO~1.OTS")) returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2=".") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="..") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="...") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="windows") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="$RECYCLE.BIN") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="rsa") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="NTDETECT.COM") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="ntldr") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="MSDOS.SYS") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="IO.SYS") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="boot.ini") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="AUTOEXEC.BAT") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="ntuser.dat") returned 1 [0105.019] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="desktop.ini") returned 1 [0105.068] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="CONFIG.SYS") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="RECYCLER") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="BOOTSECT.BAK") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="bootmgr") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="programdata") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="appdata") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="program files") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="program files (x86)") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="microsoft") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="sophos") returned 1 [0105.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e878 [0105.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.069] PathFindExtensionW (pszPath="ZTV3hoTaOLFU_EKLZcR.ots") returned=".ots" [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".exe") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".log") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".cab") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".cmd") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".com") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".cpl") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".ini") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".dll") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".url") returned -1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".ttf") returned -1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".mp3") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".pif") returned -1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".mp4") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".NEFILIM") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".msi") returned 1 [0105.069] lstrcmpiW (lpString1=".ots", lpString2=".lnk") returned 1 [0105.069] lstrcmpiW (lpString1="ZTV3hoTaOLFU_EKLZcR.ots", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e920 [0105.069] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ZTV3hoTaOLFU_EKLZcR.ots" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ztv3hotaolfu_eklzcr.ots"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.070] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=78963) returned 1 [0105.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.070] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.070] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.070] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.070] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.070] GetTickCount () returned 0x115b69a [0105.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0105.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0105.070] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13473, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.071] SetLastError (dwErrCode=0x0) [0105.071] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.071] GetLastError () returned 0x0 [0105.071] GetLastError () returned 0x0 [0105.071] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13573, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.072] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13673, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.072] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x399eb1f3, dwHighDateTime=0x1d5f971)) [0105.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0105.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0105.072] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.072] GetProcessHeap () returned 0xbc0000 [0105.072] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13473) returned 0xbf3640 [0105.072] GetSystemDefaultLangID () returned 0xbd0409 [0105.072] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.072] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x13473, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x13473, lpOverlapped=0x0) returned 1 [0105.076] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.076] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x13473, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x13473, lpOverlapped=0x0) returned 1 [0105.076] GetProcessHeap () returned 0xbc0000 [0105.076] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.076] CloseHandle (hObject=0x274) returned 1 [0105.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9c8 [0105.077] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ZTV3hoTaOLFU_EKLZcR.ots" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ztv3hotaolfu_eklzcr.ots"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\ZTV3hoTaOLFU_EKLZcR.ots.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\ztv3hotaolfu_eklzcr.ots.nefilim")) returned 1 [0105.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0105.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.077] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x751469f0, ftCreationTime.dwHighDateTime=0x1d5f036, ftLastAccessTime.dwLowDateTime=0x82625d50, ftLastAccessTime.dwHighDateTime=0x1d5ebff, ftLastWriteTime.dwLowDateTime=0x82625d50, ftLastWriteTime.dwHighDateTime=0x1d5ebff, nFileSizeHigh=0x0, nFileSizeLow=0x179f6, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="_iCHzVv.xls", cAlternateFileName="")) returned 1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2=".") returned 1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="..") returned 1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="...") returned 1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="windows") returned -1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="$RECYCLE.BIN") returned 1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="rsa") returned -1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="NTDETECT.COM") returned -1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="ntldr") returned -1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="MSDOS.SYS") returned -1 [0105.077] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="IO.SYS") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="boot.ini") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="AUTOEXEC.BAT") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="ntuser.dat") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="desktop.ini") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="CONFIG.SYS") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="RECYCLER") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="BOOTSECT.BAK") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="bootmgr") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="programdata") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="appdata") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="program files") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="program files (x86)") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="microsoft") returned -1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="sophos") returned -1 [0105.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e920 [0105.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.078] PathFindExtensionW (pszPath="_iCHzVv.xls") returned=".xls" [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0105.078] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0105.078] lstrcmpiW (lpString1="_iCHzVv.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e878 [0105.078] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\_iCHzVv.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\_ichzvv.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.079] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=96758) returned 1 [0105.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.079] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.079] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.079] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.080] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.081] GetTickCount () returned 0x115b69a [0105.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0105.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0105.081] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x179f6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.081] SetLastError (dwErrCode=0x0) [0105.081] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.082] GetLastError () returned 0x0 [0105.082] GetLastError () returned 0x0 [0105.082] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17af6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.082] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.082] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x17bf6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.082] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39a11501, dwHighDateTime=0x1d5f971)) [0105.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0105.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0105.082] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.082] GetProcessHeap () returned 0xbc0000 [0105.082] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x179f6) returned 0xbf3640 [0105.083] GetSystemDefaultLangID () returned 0xbd0409 [0105.083] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.083] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x179f6, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x179f6, lpOverlapped=0x0) returned 1 [0105.088] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.088] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x179f6, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x179f6, lpOverlapped=0x0) returned 1 [0105.088] GetProcessHeap () returned 0xbc0000 [0105.088] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.089] CloseHandle (hObject=0x274) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9b8 [0105.089] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\_iCHzVv.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\_ichzvv.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bEUcpp\\_iCHzVv.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\beucpp\\_ichzvv.xls.nefilim")) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b8 | out: hHeap=0x2680000) returned 1 [0105.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.089] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x751469f0, ftCreationTime.dwHighDateTime=0x1d5f036, ftLastAccessTime.dwLowDateTime=0x82625d50, ftLastAccessTime.dwHighDateTime=0x1d5ebff, ftLastWriteTime.dwLowDateTime=0x82625d50, ftLastWriteTime.dwHighDateTime=0x1d5ebff, nFileSizeHigh=0x0, nFileSizeLow=0x179f6, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="_iCHzVv.xls", cAlternateFileName="")) returned 0 [0105.089] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0105.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.090] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc56eb090, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0xc2c8ec50, ftLastAccessTime.dwHighDateTime=0x1d5e782, ftLastWriteTime.dwLowDateTime=0xc2c8ec50, ftLastWriteTime.dwHighDateTime=0x1d5e782, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="bqYCjqML4mlsP", cAlternateFileName="BQYCJQ~1")) returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2=".") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="..") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="...") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="windows") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="$RECYCLE.BIN") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="rsa") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="NTDETECT.COM") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="ntldr") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="MSDOS.SYS") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="IO.SYS") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="boot.ini") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="AUTOEXEC.BAT") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="ntuser.dat") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="desktop.ini") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="CONFIG.SYS") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="RECYCLER") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="BOOTSECT.BAK") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="bootmgr") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="programdata") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="appdata") returned 1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="program files") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="program files (x86)") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="microsoft") returned -1 [0105.090] lstrcmpiW (lpString1="bqYCjqML4mlsP", lpString2="sophos") returned -1 [0105.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0105.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0105.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0105.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0105.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e888 [0105.090] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc56eb090, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0xc2c8ec50, ftLastAccessTime.dwHighDateTime=0x1d5e782, ftLastWriteTime.dwLowDateTime=0xc2c8ec50, ftLastWriteTime.dwHighDateTime=0x1d5e782, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0105.091] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.091] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc56eb090, ftCreationTime.dwHighDateTime=0x1d5e514, ftLastAccessTime.dwLowDateTime=0xc2c8ec50, ftLastAccessTime.dwHighDateTime=0x1d5e782, ftLastWriteTime.dwLowDateTime=0xc2c8ec50, ftLastWriteTime.dwHighDateTime=0x1d5e782, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0105.091] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.091] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.091] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce7e6290, ftCreationTime.dwHighDateTime=0x1d5e873, ftLastAccessTime.dwLowDateTime=0x9480a20, ftLastAccessTime.dwHighDateTime=0x1d5f0e9, ftLastWriteTime.dwLowDateTime=0x9480a20, ftLastWriteTime.dwHighDateTime=0x1d5f0e9, nFileSizeHigh=0x0, nFileSizeLow=0x28d0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="4 1y4NOB_3rRM9i.csv", cAlternateFileName="41Y4NO~1.CSV")) returned 1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2=".") returned 1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="..") returned 1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="...") returned 1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="windows") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="$RECYCLE.BIN") returned 1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="rsa") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="NTDETECT.COM") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="ntldr") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="MSDOS.SYS") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="IO.SYS") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="boot.ini") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="AUTOEXEC.BAT") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="ntuser.dat") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="desktop.ini") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="CONFIG.SYS") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="RECYCLER") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="BOOTSECT.BAK") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="bootmgr") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="programdata") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="appdata") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="program files") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="program files (x86)") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="microsoft") returned -1 [0105.091] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="sophos") returned -1 [0105.091] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e910 [0105.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.092] PathFindExtensionW (pszPath="4 1y4NOB_3rRM9i.csv") returned=".csv" [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0105.092] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0105.092] lstrcmpiW (lpString1="4 1y4NOB_3rRM9i.csv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9b8 [0105.092] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\4 1y4NOB_3rRM9i.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\4 1y4nob_3rrm9i.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.092] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=10448) returned 1 [0105.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.092] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.092] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0105.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.092] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.093] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.093] GetTickCount () returned 0x115b6aa [0105.093] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0105.093] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0105.093] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x28d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.093] SetLastError (dwErrCode=0x0) [0105.093] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.094] GetLastError () returned 0x0 [0105.094] GetLastError () returned 0x0 [0105.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x29d0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.094] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2ad0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39a11501, dwHighDateTime=0x1d5f971)) [0105.094] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.094] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.094] GetProcessHeap () returned 0xbc0000 [0105.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x28d0) returned 0xbf3640 [0105.094] GetSystemDefaultLangID () returned 0xbd0409 [0105.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.094] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x28d0, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x28d0, lpOverlapped=0x0) returned 1 [0105.095] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.095] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x28d0, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x28d0, lpOverlapped=0x0) returned 1 [0105.095] GetProcessHeap () returned 0xbc0000 [0105.095] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.095] CloseHandle (hObject=0x274) returned 1 [0105.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0105.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.095] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea60 [0105.095] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\4 1y4NOB_3rRM9i.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\4 1y4nob_3rrm9i.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\4 1y4NOB_3rRM9i.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\4 1y4nob_3rrm9i.csv.nefilim")) returned 1 [0105.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea60 | out: hHeap=0x2680000) returned 1 [0105.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b8 | out: hHeap=0x2680000) returned 1 [0105.096] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81c2d820, ftCreationTime.dwHighDateTime=0x1d5f014, ftLastAccessTime.dwLowDateTime=0x499626e0, ftLastAccessTime.dwHighDateTime=0x1d5e881, ftLastWriteTime.dwLowDateTime=0x499626e0, ftLastWriteTime.dwHighDateTime=0x1d5e881, nFileSizeHigh=0x0, nFileSizeLow=0x1610b, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="5Ykpxv7sy0VdB.pptx", cAlternateFileName="5YKPXV~1.PPT")) returned 1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2=".") returned 1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="..") returned 1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="...") returned 1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="windows") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="$RECYCLE.BIN") returned 1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="rsa") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="NTDETECT.COM") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="ntldr") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="MSDOS.SYS") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="IO.SYS") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="boot.ini") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="AUTOEXEC.BAT") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="ntuser.dat") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="desktop.ini") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="CONFIG.SYS") returned -1 [0105.096] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="RECYCLER") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="BOOTSECT.BAK") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="bootmgr") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="programdata") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="appdata") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="program files") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="program files (x86)") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="microsoft") returned -1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="sophos") returned -1 [0105.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9b8 [0105.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e910 | out: hHeap=0x2680000) returned 1 [0105.097] PathFindExtensionW (pszPath="5Ykpxv7sy0VdB.pptx") returned=".pptx" [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.097] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.097] lstrcmpiW (lpString1="5Ykpxv7sy0VdB.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e888 [0105.097] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\5Ykpxv7sy0VdB.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\5ykpxv7sy0vdb.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.097] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=90379) returned 1 [0105.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.098] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.098] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.098] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.098] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.098] GetTickCount () returned 0x115b6ba [0105.098] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0105.098] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0105.098] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1610b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.098] SetLastError (dwErrCode=0x0) [0105.098] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.099] GetLastError () returned 0x0 [0105.099] GetLastError () returned 0x0 [0105.099] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1620b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.099] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.099] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1630b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.099] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39a37759, dwHighDateTime=0x1d5f971)) [0105.099] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.100] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.100] GetProcessHeap () returned 0xbc0000 [0105.100] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1610b) returned 0xbf3640 [0105.100] GetSystemDefaultLangID () returned 0xbd0409 [0105.100] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.100] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x1610b, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x1610b, lpOverlapped=0x0) returned 1 [0105.104] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.104] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x1610b, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x1610b, lpOverlapped=0x0) returned 1 [0105.105] GetProcessHeap () returned 0xbc0000 [0105.105] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.105] CloseHandle (hObject=0x274) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.105] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea60 [0105.105] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\5Ykpxv7sy0VdB.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\5ykpxv7sy0vdb.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\5Ykpxv7sy0VdB.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\5ykpxv7sy0vdb.pptx.nefilim")) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea60 | out: hHeap=0x2680000) returned 1 [0105.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.105] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4a1dd9a0, ftCreationTime.dwHighDateTime=0x1d5e5b1, ftLastAccessTime.dwLowDateTime=0xf02174e0, ftLastAccessTime.dwHighDateTime=0x1d5e969, ftLastWriteTime.dwLowDateTime=0xf02174e0, ftLastWriteTime.dwHighDateTime=0x1d5e969, nFileSizeHigh=0x0, nFileSizeLow=0x18262, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="b2 H.csv", cAlternateFileName="B2H~1.CSV")) returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2=".") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="..") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="...") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="windows") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="$RECYCLE.BIN") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="rsa") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="NTDETECT.COM") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="ntldr") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="MSDOS.SYS") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="IO.SYS") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="boot.ini") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="AUTOEXEC.BAT") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="ntuser.dat") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="desktop.ini") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="CONFIG.SYS") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="RECYCLER") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="BOOTSECT.BAK") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="bootmgr") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="programdata") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="appdata") returned 1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="program files") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="program files (x86)") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="microsoft") returned -1 [0105.106] lstrcmpiW (lpString1="b2 H.csv", lpString2="sophos") returned -1 [0105.106] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e888 [0105.106] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b8 | out: hHeap=0x2680000) returned 1 [0105.106] PathFindExtensionW (pszPath="b2 H.csv") returned=".csv" [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0105.106] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0105.107] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0105.107] lstrcmpiW (lpString1="b2 H.csv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e920 [0105.107] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\b2 H.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\b2 h.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.107] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=98914) returned 1 [0105.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.107] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.107] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.107] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.107] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.108] GetTickCount () returned 0x115b6ba [0105.108] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0105.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0105.108] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18262, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.108] SetLastError (dwErrCode=0x0) [0105.108] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.109] GetLastError () returned 0x0 [0105.109] GetLastError () returned 0x0 [0105.109] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18362, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.109] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.109] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18462, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.109] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39a37759, dwHighDateTime=0x1d5f971)) [0105.109] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.109] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.109] GetProcessHeap () returned 0xbc0000 [0105.109] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18262) returned 0xbf3640 [0105.109] GetSystemDefaultLangID () returned 0xbd0409 [0105.109] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.109] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x18262, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x18262, lpOverlapped=0x0) returned 1 [0105.171] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.171] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x18262, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x18262, lpOverlapped=0x0) returned 1 [0105.171] GetProcessHeap () returned 0xbc0000 [0105.171] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.171] CloseHandle (hObject=0x274) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.172] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9b8 [0105.172] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\b2 H.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\b2 h.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\b2 H.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\b2 h.csv.nefilim")) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b8 | out: hHeap=0x2680000) returned 1 [0105.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.172] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9204c380, ftCreationTime.dwHighDateTime=0x1d5f085, ftLastAccessTime.dwLowDateTime=0x6948be00, ftLastAccessTime.dwHighDateTime=0x1d5eb9f, ftLastWriteTime.dwLowDateTime=0x6948be00, ftLastWriteTime.dwHighDateTime=0x1d5eb9f, nFileSizeHigh=0x0, nFileSizeLow=0x11c82, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="iJX9Pxr.xlsx", cAlternateFileName="IJX9PX~1.XLS")) returned 1 [0105.172] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2=".") returned 1 [0105.172] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="..") returned 1 [0105.172] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="...") returned 1 [0105.172] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="windows") returned -1 [0105.172] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="rsa") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="NTDETECT.COM") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="ntldr") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="MSDOS.SYS") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="IO.SYS") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="boot.ini") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="ntuser.dat") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="desktop.ini") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="CONFIG.SYS") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="RECYCLER") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="bootmgr") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="programdata") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="appdata") returned 1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="program files") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="program files (x86)") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="microsoft") returned -1 [0105.173] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="sophos") returned -1 [0105.173] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e920 [0105.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.173] PathFindExtensionW (pszPath="iJX9Pxr.xlsx") returned=".xlsx" [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0105.173] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0105.174] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.174] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.174] lstrcmpiW (lpString1="iJX9Pxr.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e9c8 [0105.174] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iJX9Pxr.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\ijx9pxr.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.174] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=72834) returned 1 [0105.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.174] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.174] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.174] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.175] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.176] GetTickCount () returned 0x115b708 [0105.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0105.176] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0105.176] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.176] SetLastError (dwErrCode=0x0) [0105.176] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.177] GetLastError () returned 0x0 [0105.177] GetLastError () returned 0x0 [0105.177] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11d82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.177] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.177] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11e82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.177] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39af6216, dwHighDateTime=0x1d5f971)) [0105.177] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.177] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.177] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.178] GetProcessHeap () returned 0xbc0000 [0105.178] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11c82) returned 0xbf3640 [0105.178] GetSystemDefaultLangID () returned 0xbd0409 [0105.178] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.178] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x11c82, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x11c82, lpOverlapped=0x0) returned 1 [0105.182] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.182] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x11c82, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x11c82, lpOverlapped=0x0) returned 1 [0105.182] GetProcessHeap () returned 0xbc0000 [0105.182] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.182] CloseHandle (hObject=0x274) returned 1 [0105.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ea70 [0105.182] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iJX9Pxr.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\ijx9pxr.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iJX9Pxr.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\ijx9pxr.xlsx.nefilim")) returned 1 [0105.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea70 | out: hHeap=0x2680000) returned 1 [0105.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0105.183] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d2cb520, ftCreationTime.dwHighDateTime=0x1d5e149, ftLastAccessTime.dwLowDateTime=0xc64ca2c0, ftLastAccessTime.dwHighDateTime=0x1d5e53b, ftLastWriteTime.dwLowDateTime=0xc64ca2c0, ftLastWriteTime.dwHighDateTime=0x1d5e53b, nFileSizeHigh=0x0, nFileSizeLow=0x2af7, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="iWgBSrKVi5tAelIUFMc.xlsx", cAlternateFileName="IWGBSR~1.XLS")) returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2=".") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="..") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="...") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="windows") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="rsa") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="NTDETECT.COM") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="ntldr") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="MSDOS.SYS") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="IO.SYS") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="boot.ini") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="ntuser.dat") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="desktop.ini") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="CONFIG.SYS") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="RECYCLER") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="bootmgr") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="programdata") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="appdata") returned 1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="program files") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="program files (x86)") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="microsoft") returned -1 [0105.183] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="sophos") returned -1 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9c8 [0105.184] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e920 | out: hHeap=0x2680000) returned 1 [0105.184] PathFindExtensionW (pszPath="iWgBSrKVi5tAelIUFMc.xlsx") returned=".xlsx" [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.184] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.184] lstrcmpiW (lpString1="iWgBSrKVi5tAelIUFMc.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e888 [0105.184] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iWgBSrKVi5tAelIUFMc.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\iwgbsrkvi5taeliufmc.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.184] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=10999) returned 1 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.184] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0105.184] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0105.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.185] GetTickCount () returned 0x115b708 [0105.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0105.185] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0105.185] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2af7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.185] SetLastError (dwErrCode=0x0) [0105.185] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.186] GetLastError () returned 0x0 [0105.186] GetLastError () returned 0x0 [0105.186] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2bf7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.186] WriteFile (in: hFile=0x274, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.186] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2cf7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.186] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39af6216, dwHighDateTime=0x1d5f971)) [0105.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.186] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.186] GetProcessHeap () returned 0xbc0000 [0105.186] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2af7) returned 0xbf3640 [0105.186] GetSystemDefaultLangID () returned 0xbd0409 [0105.186] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.186] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x2af7, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x2af7, lpOverlapped=0x0) returned 1 [0105.187] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.187] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x2af7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x2af7, lpOverlapped=0x0) returned 1 [0105.187] GetProcessHeap () returned 0xbc0000 [0105.187] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.187] CloseHandle (hObject=0x274) returned 1 [0105.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0105.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0105.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ea80 [0105.187] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iWgBSrKVi5tAelIUFMc.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\iwgbsrkvi5taeliufmc.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\iWgBSrKVi5tAelIUFMc.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\iwgbsrkvi5taeliufmc.xlsx.nefilim")) returned 1 [0105.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea80 | out: hHeap=0x2680000) returned 1 [0105.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.188] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1f55fbe0, ftCreationTime.dwHighDateTime=0x1d5ee2f, ftLastAccessTime.dwLowDateTime=0xd63020f0, ftLastAccessTime.dwHighDateTime=0x1d5e69d, ftLastWriteTime.dwLowDateTime=0xd63020f0, ftLastWriteTime.dwHighDateTime=0x1d5e69d, nFileSizeHigh=0x0, nFileSizeLow=0x18866, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="Jyh5c8zeb1.rtf", cAlternateFileName="JYH5C8~1.RTF")) returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2=".") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="..") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="...") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="windows") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="$RECYCLE.BIN") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="rsa") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="NTDETECT.COM") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="ntldr") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="MSDOS.SYS") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="IO.SYS") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="boot.ini") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="AUTOEXEC.BAT") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="ntuser.dat") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="desktop.ini") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="CONFIG.SYS") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="RECYCLER") returned -1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="BOOTSECT.BAK") returned 1 [0105.188] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="bootmgr") returned 1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="programdata") returned -1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="appdata") returned 1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="program files") returned -1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="program files (x86)") returned -1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="microsoft") returned -1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="sophos") returned -1 [0105.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e888 [0105.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0105.189] PathFindExtensionW (pszPath="Jyh5c8zeb1.rtf") returned=".rtf" [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".exe") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".log") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".cab") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".cmd") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".com") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".cpl") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".ini") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".dll") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".url") returned -1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".ttf") returned -1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".mp3") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".pif") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".mp4") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".NEFILIM") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".msi") returned 1 [0105.189] lstrcmpiW (lpString1=".rtf", lpString2=".lnk") returned 1 [0105.189] lstrcmpiW (lpString1="Jyh5c8zeb1.rtf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e930 [0105.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\Jyh5c8zeb1.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\jyh5c8zeb1.rtf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.189] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=100454) returned 1 [0105.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.189] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.189] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.190] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.190] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0105.190] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.190] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.191] GetTickCount () returned 0x115b708 [0105.191] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0105.191] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0105.191] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18866, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.191] SetLastError (dwErrCode=0x0) [0105.191] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.192] GetLastError () returned 0x0 [0105.192] GetLastError () returned 0x0 [0105.192] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18966, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.192] WriteFile (in: hFile=0x274, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.192] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x18a66, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.192] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39b1c4ce, dwHighDateTime=0x1d5f971)) [0105.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.193] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.193] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.193] GetProcessHeap () returned 0xbc0000 [0105.193] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18866) returned 0xbf3640 [0105.193] GetSystemDefaultLangID () returned 0xbd0409 [0105.193] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.193] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x18866, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x18866, lpOverlapped=0x0) returned 1 [0105.199] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.199] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x18866, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x18866, lpOverlapped=0x0) returned 1 [0105.199] GetProcessHeap () returned 0xbc0000 [0105.199] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.199] CloseHandle (hObject=0x274) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9d8 [0105.200] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\Jyh5c8zeb1.rtf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\jyh5c8zeb1.rtf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\Jyh5c8zeb1.rtf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\jyh5c8zeb1.rtf.nefilim")) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9d8 | out: hHeap=0x2680000) returned 1 [0105.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e930 | out: hHeap=0x2680000) returned 1 [0105.200] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x654e19c0, ftCreationTime.dwHighDateTime=0x1d5eb3c, ftLastAccessTime.dwLowDateTime=0xae0d6280, ftLastAccessTime.dwHighDateTime=0x1d5ebad, ftLastWriteTime.dwLowDateTime=0xae0d6280, ftLastWriteTime.dwHighDateTime=0x1d5ebad, nFileSizeHigh=0x0, nFileSizeLow=0xca39, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="k3PE-P_GB8Oi6etK.pdf", cAlternateFileName="K3PE-P~1.PDF")) returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2=".") returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="..") returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="...") returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="windows") returned -1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="$RECYCLE.BIN") returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="rsa") returned -1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="NTDETECT.COM") returned -1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="ntldr") returned -1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="MSDOS.SYS") returned -1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="IO.SYS") returned 1 [0105.200] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="boot.ini") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="AUTOEXEC.BAT") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="ntuser.dat") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="desktop.ini") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="CONFIG.SYS") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="RECYCLER") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="BOOTSECT.BAK") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="bootmgr") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="programdata") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="appdata") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="program files") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="program files (x86)") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="microsoft") returned -1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="sophos") returned -1 [0105.201] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e930 [0105.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.201] PathFindExtensionW (pszPath="k3PE-P_GB8Oi6etK.pdf") returned=".pdf" [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".exe") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".log") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".cab") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".cmd") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".com") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".cpl") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".ini") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".dll") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".url") returned -1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".ttf") returned -1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".mp3") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".pif") returned -1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".mp4") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".NEFILIM") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".msi") returned 1 [0105.201] lstrcmpiW (lpString1=".pdf", lpString2=".lnk") returned 1 [0105.201] lstrcmpiW (lpString1="k3PE-P_GB8Oi6etK.pdf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.201] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9e8 [0105.201] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\k3PE-P_GB8Oi6etK.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\k3pe-p_gb8oi6etk.pdf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.202] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=51769) returned 1 [0105.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.202] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.202] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.202] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.202] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.202] GetTickCount () returned 0x115b717 [0105.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.202] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.202] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xca39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.202] SetLastError (dwErrCode=0x0) [0105.202] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.203] GetLastError () returned 0x0 [0105.203] GetLastError () returned 0x0 [0105.203] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcb39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.203] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.203] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xcc39, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.204] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39b1c4ce, dwHighDateTime=0x1d5f971)) [0105.204] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.204] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.204] GetProcessHeap () returned 0xbc0000 [0105.204] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xca39) returned 0xbf3640 [0105.204] GetSystemDefaultLangID () returned 0xbd0409 [0105.204] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.204] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xca39, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xca39, lpOverlapped=0x0) returned 1 [0105.206] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.206] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xca39, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xca39, lpOverlapped=0x0) returned 1 [0105.207] GetProcessHeap () returned 0xbc0000 [0105.207] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.207] CloseHandle (hObject=0x274) returned 1 [0105.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268eaa0 [0105.207] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\k3PE-P_GB8Oi6etK.pdf" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\k3pe-p_gb8oi6etk.pdf"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\k3PE-P_GB8Oi6etK.pdf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\k3pe-p_gb8oi6etk.pdf.nefilim")) returned 1 [0105.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eaa0 | out: hHeap=0x2680000) returned 1 [0105.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9e8 | out: hHeap=0x2680000) returned 1 [0105.257] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa3bea5a0, ftCreationTime.dwHighDateTime=0x1d5ea63, ftLastAccessTime.dwLowDateTime=0x572e4fd0, ftLastAccessTime.dwHighDateTime=0x1d5e651, ftLastWriteTime.dwLowDateTime=0x572e4fd0, ftLastWriteTime.dwHighDateTime=0x1d5e651, nFileSizeHigh=0x0, nFileSizeLow=0x964c, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="QuNpsc0M-.ppt", cAlternateFileName="QUNPSC~1.PPT")) returned 1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2=".") returned 1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="..") returned 1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="...") returned 1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="windows") returned -1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="$RECYCLE.BIN") returned 1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="rsa") returned -1 [0105.257] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="NTDETECT.COM") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="ntldr") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="MSDOS.SYS") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="IO.SYS") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="boot.ini") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="ntuser.dat") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="desktop.ini") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="CONFIG.SYS") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="RECYCLER") returned -1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="BOOTSECT.BAK") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="bootmgr") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="programdata") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="appdata") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="program files") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="program files (x86)") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="microsoft") returned 1 [0105.258] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="sophos") returned -1 [0105.258] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e888 [0105.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e930 | out: hHeap=0x2680000) returned 1 [0105.258] PathFindExtensionW (pszPath="QuNpsc0M-.ppt") returned=".ppt" [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0105.258] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0105.259] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0105.259] lstrcmpiW (lpString1="QuNpsc0M-.ppt", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e930 [0105.259] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\QuNpsc0M-.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\qunpsc0m-.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.259] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=38476) returned 1 [0105.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.259] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.259] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.259] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.260] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.261] GetTickCount () returned 0x115b756 [0105.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0105.261] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0105.261] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x964c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.261] SetLastError (dwErrCode=0x0) [0105.261] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.262] GetLastError () returned 0x0 [0105.262] GetLastError () returned 0x0 [0105.262] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x974c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.262] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.262] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x984c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.262] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39bb4f04, dwHighDateTime=0x1d5f971)) [0105.262] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.262] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.262] GetProcessHeap () returned 0xbc0000 [0105.262] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x964c) returned 0xbf3640 [0105.262] GetSystemDefaultLangID () returned 0xbd0409 [0105.262] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.262] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x964c, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x964c, lpOverlapped=0x0) returned 1 [0105.264] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.265] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x964c, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x964c, lpOverlapped=0x0) returned 1 [0105.265] GetProcessHeap () returned 0xbc0000 [0105.265] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.265] CloseHandle (hObject=0x274) returned 1 [0105.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9d8 [0105.265] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\QuNpsc0M-.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\qunpsc0m-.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\QuNpsc0M-.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\qunpsc0m-.ppt.nefilim")) returned 1 [0105.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9d8 | out: hHeap=0x2680000) returned 1 [0105.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e930 | out: hHeap=0x2680000) returned 1 [0105.266] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84a08d0, ftCreationTime.dwHighDateTime=0x1d5e666, ftLastAccessTime.dwLowDateTime=0x4b33e100, ftLastAccessTime.dwHighDateTime=0x1d5f087, ftLastWriteTime.dwLowDateTime=0x4b33e100, ftLastWriteTime.dwHighDateTime=0x1d5f087, nFileSizeHigh=0x0, nFileSizeLow=0x13eb7, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="y4uK28o0.csv", cAlternateFileName="")) returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2=".") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="..") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="...") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="windows") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="$RECYCLE.BIN") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="rsa") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="NTDETECT.COM") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="ntldr") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="MSDOS.SYS") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="IO.SYS") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="boot.ini") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="AUTOEXEC.BAT") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="ntuser.dat") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="desktop.ini") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="CONFIG.SYS") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="RECYCLER") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="BOOTSECT.BAK") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="bootmgr") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="programdata") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="appdata") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="program files") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="program files (x86)") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="microsoft") returned 1 [0105.266] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="sophos") returned 1 [0105.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e930 [0105.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.266] PathFindExtensionW (pszPath="y4uK28o0.csv") returned=".csv" [0105.266] lstrcmpiW (lpString1=".csv", lpString2=".exe") returned -1 [0105.266] lstrcmpiW (lpString1=".csv", lpString2=".log") returned -1 [0105.266] lstrcmpiW (lpString1=".csv", lpString2=".cab") returned 1 [0105.266] lstrcmpiW (lpString1=".csv", lpString2=".cmd") returned 1 [0105.266] lstrcmpiW (lpString1=".csv", lpString2=".com") returned 1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".cpl") returned 1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".ini") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".dll") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".url") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".ttf") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".mp3") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".pif") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".mp4") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".NEFILIM") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".msi") returned -1 [0105.267] lstrcmpiW (lpString1=".csv", lpString2=".lnk") returned -1 [0105.267] lstrcmpiW (lpString1="y4uK28o0.csv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e888 [0105.267] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\y4uK28o0.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\y4uk28o0.csv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.267] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=81591) returned 1 [0105.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.267] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.267] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.267] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.267] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.268] GetTickCount () returned 0x115b756 [0105.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.268] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13eb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.268] SetLastError (dwErrCode=0x0) [0105.268] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.269] GetLastError () returned 0x0 [0105.269] GetLastError () returned 0x0 [0105.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13fb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.269] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x140b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.269] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39bb4f04, dwHighDateTime=0x1d5f971)) [0105.269] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.269] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.269] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.269] GetProcessHeap () returned 0xbc0000 [0105.269] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13eb7) returned 0xbf3640 [0105.269] GetSystemDefaultLangID () returned 0xbd0409 [0105.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.269] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x13eb7, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x13eb7, lpOverlapped=0x0) returned 1 [0105.274] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.274] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x13eb7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x13eb7, lpOverlapped=0x0) returned 1 [0105.274] GetProcessHeap () returned 0xbc0000 [0105.274] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.274] CloseHandle (hObject=0x274) returned 1 [0105.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.275] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268e9d8 [0105.275] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\y4uK28o0.csv" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\y4uk28o0.csv"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\bqYCjqML4mlsP\\y4uK28o0.csv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\bqycjqml4mlsp\\y4uk28o0.csv.nefilim")) returned 1 [0105.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9d8 | out: hHeap=0x2680000) returned 1 [0105.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e888 | out: hHeap=0x2680000) returned 1 [0105.275] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb84a08d0, ftCreationTime.dwHighDateTime=0x1d5e666, ftLastAccessTime.dwLowDateTime=0x4b33e100, ftLastAccessTime.dwHighDateTime=0x1d5f087, ftLastWriteTime.dwLowDateTime=0x4b33e100, ftLastWriteTime.dwHighDateTime=0x1d5f087, nFileSizeHigh=0x0, nFileSizeLow=0x13eb7, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="y4uK28o0.csv", cAlternateFileName="")) returned 0 [0105.275] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0105.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e930 | out: hHeap=0x2680000) returned 1 [0105.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0105.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.276] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1955850, ftCreationTime.dwHighDateTime=0x1d5e4a3, ftLastAccessTime.dwLowDateTime=0xd14503f0, ftLastAccessTime.dwHighDateTime=0x1d5ee16, ftLastWriteTime.dwLowDateTime=0xd14503f0, ftLastWriteTime.dwHighDateTime=0x1d5ee16, nFileSizeHigh=0x0, nFileSizeLow=0x1012f, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="CqJ1SuwhlvKqQ2m-VfrW.ppt", cAlternateFileName="CQJ1SU~1.PPT")) returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2=".") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="..") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="...") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="windows") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="$RECYCLE.BIN") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="rsa") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="NTDETECT.COM") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="ntldr") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="MSDOS.SYS") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="IO.SYS") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="boot.ini") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="AUTOEXEC.BAT") returned 1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="ntuser.dat") returned -1 [0105.276] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="desktop.ini") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="CONFIG.SYS") returned 1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="RECYCLER") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="BOOTSECT.BAK") returned 1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="bootmgr") returned 1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="programdata") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="appdata") returned 1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="program files") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="program files (x86)") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="microsoft") returned -1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="sophos") returned -1 [0105.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0105.277] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.277] PathFindExtensionW (pszPath="CqJ1SuwhlvKqQ2m-VfrW.ppt") returned=".ppt" [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".exe") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".log") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".cab") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".cmd") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".com") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".cpl") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".ini") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".dll") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".url") returned -1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".ttf") returned -1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".mp3") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".pif") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".mp4") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".NEFILIM") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".msi") returned 1 [0105.277] lstrcmpiW (lpString1=".ppt", lpString2=".lnk") returned 1 [0105.277] lstrcmpiW (lpString1="CqJ1SuwhlvKqQ2m-VfrW.ppt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be28 [0105.277] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\CqJ1SuwhlvKqQ2m-VfrW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\cqj1suwhlvkqq2m-vfrw.ppt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.278] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=65839) returned 1 [0105.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.278] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.278] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.278] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.278] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.279] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.279] GetTickCount () returned 0x115b765 [0105.279] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0105.279] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0105.279] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1012f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.279] SetLastError (dwErrCode=0x0) [0105.279] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.280] GetLastError () returned 0x0 [0105.280] GetLastError () returned 0x0 [0105.280] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1022f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.280] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.280] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1032f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.280] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39bdb0f3, dwHighDateTime=0x1d5f971)) [0105.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.280] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.280] GetProcessHeap () returned 0xbc0000 [0105.280] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1012f) returned 0xbf2638 [0105.280] GetSystemDefaultLangID () returned 0xbd0409 [0105.280] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.280] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1012f, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1012f, lpOverlapped=0x0) returned 1 [0105.284] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.284] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1012f, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1012f, lpOverlapped=0x0) returned 1 [0105.284] GetProcessHeap () returned 0xbc0000 [0105.284] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.284] CloseHandle (hObject=0x270) returned 1 [0105.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e800 [0105.285] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\CqJ1SuwhlvKqQ2m-VfrW.ppt" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\cqj1suwhlvkqq2m-vfrw.ppt"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\CqJ1SuwhlvKqQ2m-VfrW.ppt.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\cqj1suwhlvkqq2m-vfrw.ppt.nefilim")) returned 1 [0105.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0105.286] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdec22930, ftCreationTime.dwHighDateTime=0x1d5ec46, ftLastAccessTime.dwLowDateTime=0x1ba6bd70, ftLastAccessTime.dwHighDateTime=0x1d5e495, ftLastWriteTime.dwLowDateTime=0x1ba6bd70, ftLastWriteTime.dwHighDateTime=0x1d5e495, nFileSizeHigh=0x0, nFileSizeLow=0x16aa4, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="E37k.pptx", cAlternateFileName="E37K~1.PPT")) returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2=".") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="..") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="...") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="windows") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="$RECYCLE.BIN") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="rsa") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="NTDETECT.COM") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="ntldr") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="MSDOS.SYS") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="IO.SYS") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="boot.ini") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="ntuser.dat") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="desktop.ini") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="CONFIG.SYS") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="RECYCLER") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="BOOTSECT.BAK") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="bootmgr") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="programdata") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="appdata") returned 1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="program files") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="program files (x86)") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="microsoft") returned -1 [0105.286] lstrcmpiW (lpString1="E37k.pptx", lpString2="sophos") returned -1 [0105.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be28 [0105.286] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.286] PathFindExtensionW (pszPath="E37k.pptx") returned=".pptx" [0105.286] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.287] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.287] lstrcmpiW (lpString1="E37k.pptx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0105.287] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\E37k.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\e37k.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.287] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=92836) returned 1 [0105.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.287] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.287] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.287] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.288] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.289] GetTickCount () returned 0x115b775 [0105.289] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.289] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16aa4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.289] SetLastError (dwErrCode=0x0) [0105.289] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.290] GetLastError () returned 0x0 [0105.290] GetLastError () returned 0x0 [0105.290] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16ba4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.290] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.290] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16ca4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.290] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39c01336, dwHighDateTime=0x1d5f971)) [0105.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.290] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.290] GetProcessHeap () returned 0xbc0000 [0105.290] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16aa4) returned 0xbf2638 [0105.291] GetSystemDefaultLangID () returned 0xbd0409 [0105.291] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.291] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x16aa4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x16aa4, lpOverlapped=0x0) returned 1 [0105.296] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.296] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x16aa4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x16aa4, lpOverlapped=0x0) returned 1 [0105.296] GetProcessHeap () returned 0xbc0000 [0105.296] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.296] CloseHandle (hObject=0x270) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.297] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0105.297] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\E37k.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\e37k.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\E37k.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\e37k.pptx.nefilim")) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.297] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.297] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x49402c50, ftCreationTime.dwHighDateTime=0x1d5e1aa, ftLastAccessTime.dwLowDateTime=0xc4740dc0, ftLastAccessTime.dwHighDateTime=0x1d5efa5, ftLastWriteTime.dwLowDateTime=0xc4740dc0, ftLastWriteTime.dwHighDateTime=0x1d5efa5, nFileSizeHigh=0x0, nFileSizeLow=0xb48c, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="hCy3UDvegkb bvKJo1f.xls", cAlternateFileName="HCY3UD~1.XLS")) returned 1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2=".") returned 1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="..") returned 1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="...") returned 1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="windows") returned -1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="$RECYCLE.BIN") returned 1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="rsa") returned -1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="NTDETECT.COM") returned -1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="ntldr") returned -1 [0105.297] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="MSDOS.SYS") returned -1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="IO.SYS") returned -1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="boot.ini") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="AUTOEXEC.BAT") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="ntuser.dat") returned -1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="desktop.ini") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="CONFIG.SYS") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="RECYCLER") returned -1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="BOOTSECT.BAK") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="bootmgr") returned 1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="programdata") returned -1 [0105.298] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="appdata") returned 1 [0105.299] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="program files") returned -1 [0105.299] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="program files (x86)") returned -1 [0105.299] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="microsoft") returned -1 [0105.299] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="sophos") returned -1 [0105.299] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0105.299] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0105.299] PathFindExtensionW (pszPath="hCy3UDvegkb bvKJo1f.xls") returned=".xls" [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".exe") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".log") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".cab") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".cmd") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".com") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".cpl") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".ini") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".dll") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".url") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".ttf") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".mp3") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".pif") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".mp4") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".NEFILIM") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".msi") returned 1 [0105.299] lstrcmpiW (lpString1=".xls", lpString2=".lnk") returned 1 [0105.299] lstrcmpiW (lpString1="hCy3UDvegkb bvKJo1f.xls", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.299] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be28 [0105.299] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\hCy3UDvegkb bvKJo1f.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\hcy3udvegkb bvkjo1f.xls"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.299] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=46220) returned 1 [0105.299] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0105.300] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.300] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0105.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0105.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.300] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.300] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.300] GetTickCount () returned 0x115b775 [0105.300] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0105.300] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0105.300] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb48c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.300] SetLastError (dwErrCode=0x0) [0105.300] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.361] GetLastError () returned 0x0 [0105.361] GetLastError () returned 0x0 [0105.361] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb58c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.361] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.361] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb68c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.361] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39c99a3a, dwHighDateTime=0x1d5f971)) [0105.361] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.361] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.361] GetProcessHeap () returned 0xbc0000 [0105.362] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xb48c) returned 0xbf2638 [0105.362] GetSystemDefaultLangID () returned 0xbd0409 [0105.362] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.362] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xb48c, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xb48c, lpOverlapped=0x0) returned 1 [0105.364] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.364] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xb48c, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xb48c, lpOverlapped=0x0) returned 1 [0105.365] GetProcessHeap () returned 0xbc0000 [0105.365] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.365] CloseHandle (hObject=0x270) returned 1 [0105.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0105.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0105.365] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e800 [0105.365] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\hCy3UDvegkb bvKJo1f.xls" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\hcy3udvegkb bvkjo1f.xls"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\hCy3UDvegkb bvKJo1f.xls.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\hcy3udvegkb bvkjo1f.xls.nefilim")) returned 1 [0105.366] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.366] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0105.366] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd3d112f0, ftCreationTime.dwHighDateTime=0x1d5ebda, ftLastAccessTime.dwLowDateTime=0xa6dc9190, ftLastAccessTime.dwHighDateTime=0x1d5e5fc, ftLastWriteTime.dwLowDateTime=0xa6dc9190, ftLastWriteTime.dwHighDateTime=0x1d5e5fc, nFileSizeHigh=0x0, nFileSizeLow=0xaa9, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="pllfK-bqFq54c.pps", cAlternateFileName="PLLFK-~1.PPS")) returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2=".") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="..") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="...") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="windows") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="$RECYCLE.BIN") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="rsa") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="NTDETECT.COM") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="ntldr") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="MSDOS.SYS") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="IO.SYS") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="boot.ini") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="AUTOEXEC.BAT") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="ntuser.dat") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="desktop.ini") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="CONFIG.SYS") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="RECYCLER") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="BOOTSECT.BAK") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="bootmgr") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="programdata") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="appdata") returned 1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="program files") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="program files (x86)") returned -1 [0105.366] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="microsoft") returned 1 [0105.367] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="sophos") returned -1 [0105.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be28 [0105.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.367] PathFindExtensionW (pszPath="pllfK-bqFq54c.pps") returned=".pps" [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".exe") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".log") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".cab") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".cmd") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".com") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".cpl") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".ini") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".dll") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".url") returned -1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".ttf") returned -1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".mp3") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".pif") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".mp4") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".NEFILIM") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".msi") returned 1 [0105.367] lstrcmpiW (lpString1=".pps", lpString2=".lnk") returned 1 [0105.367] lstrcmpiW (lpString1="pllfK-bqFq54c.pps", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0105.367] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\pllfK-bqFq54c.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\pllfk-bqfq54c.pps"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.367] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=2729) returned 1 [0105.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.367] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.367] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.368] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.368] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.368] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.368] GetTickCount () returned 0x115b7c3 [0105.368] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0105.368] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0105.368] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xaa9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.368] SetLastError (dwErrCode=0x0) [0105.368] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.369] GetLastError () returned 0x0 [0105.369] GetLastError () returned 0x0 [0105.369] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xba9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.369] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.369] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xca9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.369] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39cbfcc1, dwHighDateTime=0x1d5f971)) [0105.369] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.369] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.369] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.369] GetProcessHeap () returned 0xbc0000 [0105.369] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xaa9) returned 0xbe3f48 [0105.369] GetSystemDefaultLangID () returned 0xbd0409 [0105.369] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.369] ReadFile (in: hFile=0x270, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0xaa9, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25be7fc*=0xaa9, lpOverlapped=0x0) returned 1 [0105.370] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.370] WriteFile (in: hFile=0x270, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0xaa9, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25be7f0*=0xaa9, lpOverlapped=0x0) returned 1 [0105.370] GetProcessHeap () returned 0xbc0000 [0105.370] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0105.370] CloseHandle (hObject=0x270) returned 1 [0105.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.370] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0105.370] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\pllfK-bqFq54c.pps" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\pllfk-bqfq54c.pps"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\pllfK-bqFq54c.pps.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\pllfk-bqfq54c.pps.nefilim")) returned 1 [0105.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.371] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7e4fff0, ftCreationTime.dwHighDateTime=0x1d5efa3, ftLastAccessTime.dwLowDateTime=0xb6881d00, ftLastAccessTime.dwHighDateTime=0x1d5e483, ftLastWriteTime.dwLowDateTime=0xb6881d00, ftLastWriteTime.dwHighDateTime=0x1d5e483, nFileSizeHigh=0x0, nFileSizeLow=0x14782, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="r62ylPta nLalr5SJw-G.odp", cAlternateFileName="R62YLP~1.ODP")) returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2=".") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="..") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="...") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="windows") returned -1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="$RECYCLE.BIN") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="rsa") returned -1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="NTDETECT.COM") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="ntldr") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="MSDOS.SYS") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="IO.SYS") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="boot.ini") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="AUTOEXEC.BAT") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="ntuser.dat") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="desktop.ini") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="CONFIG.SYS") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="RECYCLER") returned -1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="BOOTSECT.BAK") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="bootmgr") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="programdata") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="appdata") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="program files") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="program files (x86)") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="microsoft") returned 1 [0105.371] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="sophos") returned -1 [0105.371] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0105.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0105.371] PathFindExtensionW (pszPath="r62ylPta nLalr5SJw-G.odp") returned=".odp" [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".exe") returned 1 [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".log") returned 1 [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".cab") returned 1 [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".cmd") returned 1 [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".com") returned 1 [0105.371] lstrcmpiW (lpString1=".odp", lpString2=".cpl") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".ini") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".dll") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".url") returned -1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".ttf") returned -1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".mp3") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".pif") returned -1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".mp4") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".NEFILIM") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".msi") returned 1 [0105.372] lstrcmpiW (lpString1=".odp", lpString2=".lnk") returned 1 [0105.372] lstrcmpiW (lpString1="r62ylPta nLalr5SJw-G.odp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be28 [0105.372] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\r62ylPta nLalr5SJw-G.odp" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\r62ylpta nlalr5sjw-g.odp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.372] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=83842) returned 1 [0105.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.372] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.372] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.372] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.372] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.373] GetTickCount () returned 0x115b7c3 [0105.373] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0105.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0105.373] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14782, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.373] SetLastError (dwErrCode=0x0) [0105.373] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.374] GetLastError () returned 0x0 [0105.374] GetLastError () returned 0x0 [0105.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14882, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.374] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14982, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.374] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39cbfcc1, dwHighDateTime=0x1d5f971)) [0105.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.374] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.374] GetProcessHeap () returned 0xbc0000 [0105.374] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14782) returned 0xbf2638 [0105.374] GetSystemDefaultLangID () returned 0xbd0409 [0105.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.374] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x14782, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x14782, lpOverlapped=0x0) returned 1 [0105.378] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.378] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x14782, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x14782, lpOverlapped=0x0) returned 1 [0105.378] GetProcessHeap () returned 0xbc0000 [0105.378] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.378] CloseHandle (hObject=0x270) returned 1 [0105.378] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.378] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e800 [0105.379] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\r62ylPta nLalr5SJw-G.odp" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\r62ylpta nlalr5sjw-g.odp"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\MS_cO3vREvvbe8GluAO\\r62ylPta nLalr5SJw-G.odp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\ms_co3vrevvbe8gluao\\r62ylpta nlalr5sjw-g.odp.nefilim")) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0105.379] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7e4fff0, ftCreationTime.dwHighDateTime=0x1d5efa3, ftLastAccessTime.dwLowDateTime=0xb6881d00, ftLastAccessTime.dwHighDateTime=0x1d5e483, ftLastWriteTime.dwLowDateTime=0xb6881d00, ftLastWriteTime.dwHighDateTime=0x1d5e483, nFileSizeHigh=0x0, nFileSizeLow=0x14782, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="r62ylPta nLalr5SJw-G.odp", cAlternateFileName="R62YLP~1.ODP")) returned 0 [0105.379] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0105.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.379] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0105.379] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0105.379] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0105.379] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0105.380] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0105.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.380] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0105.380] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Music\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe7e4fff0, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0xb6881d00, ftLastAccessTime.dwHighDateTime=0x1d5e483, ftLastWriteTime.dwLowDateTime=0xb6881d00, ftLastWriteTime.dwHighDateTime=0x1d5e483, nFileSizeHigh=0x2680000, nFileSizeLow=0x22000022, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="", cAlternateFileName="ɛ⊺ĊԐɨҸɨF")) returned 0xffffffff [0105.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.381] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0105.381] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0105.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.381] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.381] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0105.381] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Pictures\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xe7e4fff0, ftCreationTime.dwHighDateTime=0x22000022, ftLastAccessTime.dwLowDateTime=0xb6881d00, ftLastAccessTime.dwHighDateTime=0x22000022, ftLastWriteTime.dwLowDateTime=0xb6881d00, ftLastWriteTime.dwHighDateTime=0x22000022, nFileSizeHigh=0x2680000, nFileSizeLow=0x22000022, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨԐɨL")) returned 0xffffffff [0105.382] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.382] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.382] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.382] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="My Shapes", cAlternateFileName="MYSHAP~1")) returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2=".") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="..") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="...") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="windows") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="$RECYCLE.BIN") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="rsa") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="NTDETECT.COM") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="ntldr") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="MSDOS.SYS") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="IO.SYS") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="boot.ini") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="AUTOEXEC.BAT") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="ntuser.dat") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="desktop.ini") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="CONFIG.SYS") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="RECYCLER") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="BOOTSECT.BAK") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="bootmgr") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="programdata") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="appdata") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="program files") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="program files (x86)") returned -1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="microsoft") returned 1 [0105.382] lstrcmpiW (lpString1="My Shapes", lpString2="sophos") returned -1 [0105.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.382] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.382] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0105.382] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0xbe2648 [0105.383] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.383] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0105.384] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.384] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.384] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0xd8, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.384] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.384] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1a0f60e, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1a0f60e, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1a0f60e, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="Favorites.vssx", cAlternateFileName="FAVORI~1.VSS")) returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2=".") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="..") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="...") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="windows") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="$RECYCLE.BIN") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="rsa") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NTDETECT.COM") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntldr") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="MSDOS.SYS") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="IO.SYS") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="boot.ini") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="AUTOEXEC.BAT") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="ntuser.dat") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="desktop.ini") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="CONFIG.SYS") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="RECYCLER") returned -1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="BOOTSECT.BAK") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="bootmgr") returned 1 [0105.384] lstrcmpiW (lpString1="Favorites.vssx", lpString2="programdata") returned -1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="appdata") returned 1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="program files") returned -1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="program files (x86)") returned -1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="microsoft") returned -1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="sophos") returned -1 [0105.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0105.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.385] PathFindExtensionW (pszPath="Favorites.vssx") returned=".vssx" [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".exe") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".log") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".cab") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".cmd") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".com") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".cpl") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".ini") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".dll") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".url") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".ttf") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".mp3") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".pif") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".mp4") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".NEFILIM") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".msi") returned 1 [0105.385] lstrcmpiW (lpString1=".vssx", lpString2=".lnk") returned 1 [0105.385] lstrcmpiW (lpString1="Favorites.vssx", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0105.385] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.385] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=0) returned 1 [0105.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.386] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.386] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.386] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.386] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0105.386] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.386] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.386] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.386] GetTickCount () returned 0x115b7d3 [0105.386] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0105.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0105.386] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.386] SetLastError (dwErrCode=0x0) [0105.386] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.387] GetLastError () returned 0x0 [0105.387] GetLastError () returned 0x0 [0105.387] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x100, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.387] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.387] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x200, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.387] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39ce5e77, dwHighDateTime=0x1d5f971)) [0105.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be08 [0105.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0105.388] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.388] GetProcessHeap () returned 0xbc0000 [0105.388] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x0) returned 0xbe36c0 [0105.388] GetSystemDefaultLangID () returned 0xbd0409 [0105.388] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.388] ReadFile (in: hFile=0x270, lpBuffer=0xbe36c0, nNumberOfBytesToRead=0x0, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbe36c0*, lpNumberOfBytesRead=0x25be7fc*=0x0, lpOverlapped=0x0) returned 1 [0105.388] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.388] WriteFile (in: hFile=0x270, lpBuffer=0xbe36c0*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbe36c0*, lpNumberOfBytesWritten=0x25be7f0*=0x0, lpOverlapped=0x0) returned 1 [0105.388] GetProcessHeap () returned 0xbc0000 [0105.388] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe36c0 | out: hHeap=0xbc0000) returned 1 [0105.388] CloseHandle (hObject=0x270) returned 1 [0105.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0105.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.388] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0105.388] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\Favorites.vssx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\favorites.vssx.nefilim")) returned 1 [0105.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0105.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.389] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="_private", cAlternateFileName="")) returned 1 [0105.389] lstrcmpiW (lpString1="_private", lpString2=".") returned 1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="..") returned 1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="...") returned 1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="windows") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="$RECYCLE.BIN") returned 1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="rsa") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="NTDETECT.COM") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="ntldr") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="MSDOS.SYS") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="IO.SYS") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="boot.ini") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="AUTOEXEC.BAT") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="ntuser.dat") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="desktop.ini") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="CONFIG.SYS") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="RECYCLER") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="BOOTSECT.BAK") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="bootmgr") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="programdata") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="appdata") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="program files") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="program files (x86)") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="microsoft") returned -1 [0105.389] lstrcmpiW (lpString1="_private", lpString2="sophos") returned -1 [0105.389] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0105.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.389] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0105.389] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0105.389] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0105.389] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e340, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0105.390] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.390] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e340, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0105.390] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.390] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.390] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x268e340, dwReserved1=0x3000000, cFileName="folder.ico", cAlternateFileName="")) returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2=".") returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="..") returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="...") returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="windows") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="$RECYCLE.BIN") returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="rsa") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="NTDETECT.COM") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="ntldr") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="MSDOS.SYS") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="IO.SYS") returned -1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="boot.ini") returned 1 [0105.390] lstrcmpiW (lpString1="folder.ico", lpString2="AUTOEXEC.BAT") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="ntuser.dat") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="desktop.ini") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="CONFIG.SYS") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="RECYCLER") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="BOOTSECT.BAK") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="bootmgr") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="programdata") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="appdata") returned 1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="program files") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="program files (x86)") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="microsoft") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="sophos") returned -1 [0105.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0105.391] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0105.391] PathFindExtensionW (pszPath="folder.ico") returned=".ico" [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".exe") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".log") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".cab") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".cmd") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".com") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".cpl") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".ini") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".dll") returned 1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".url") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".ttf") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".mp3") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".pif") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".mp4") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".NEFILIM") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".msi") returned -1 [0105.391] lstrcmpiW (lpString1=".ico", lpString2=".lnk") returned -1 [0105.391] lstrcmpiW (lpString1="folder.ico", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0105.391] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.392] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=29926) returned 1 [0105.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.392] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.392] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.392] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.393] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.393] GetTickCount () returned 0x115b7d3 [0105.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0105.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0105.393] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x74e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.393] SetLastError (dwErrCode=0x0) [0105.393] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.490] GetLastError () returned 0x0 [0105.490] GetLastError () returned 0x0 [0105.490] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x75e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.490] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.490] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x76e6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.490] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x39df0faf, dwHighDateTime=0x1d5f971)) [0105.490] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3a8 [0105.490] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a8 | out: hHeap=0x2680000) returned 1 [0105.490] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.491] GetProcessHeap () returned 0xbc0000 [0105.491] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x74e6) returned 0xbf3640 [0105.491] GetSystemDefaultLangID () returned 0xbd0409 [0105.491] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.491] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x74e6, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x74e6, lpOverlapped=0x0) returned 1 [0105.493] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.493] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x74e6, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x74e6, lpOverlapped=0x0) returned 1 [0105.493] GetProcessHeap () returned 0xbc0000 [0105.493] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.494] CloseHandle (hObject=0x274) returned 1 [0105.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e878 [0105.494] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\My Shapes\\_private\\folder.ico.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\my shapes\\_private\\folder.ico.nefilim")) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0105.495] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x2, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xc1bc4716, ftLastAccessTime.dwHighDateTime=0x1d47c35, ftLastWriteTime.dwLowDateTime=0xc1bea8c6, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x74e6, dwReserved0=0x268e340, dwReserved1=0x3000000, cFileName="folder.ico", cAlternateFileName="")) returned 0 [0105.495] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.495] FindNextFileW (in: hFindFile=0xbe2648, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x12, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x1d47c35, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="_private", cAlternateFileName="")) returned 0 [0105.495] FindClose (in: hFindFile=0xbe2648 | out: hFindFile=0xbe2648) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.496] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0105.496] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0105.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0105.496] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\My Videos\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf00003f3, ftCreationTime.dwLowDateTime=0xc1bc4716, ftCreationTime.dwHighDateTime=0x1d47c35, ftLastAccessTime.dwLowDateTime=0xd44481c9, ftLastAccessTime.dwHighDateTime=0x22000022, ftLastWriteTime.dwLowDateTime=0xc1bc4716, ftLastWriteTime.dwHighDateTime=0x22000022, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x80, cFileName="", cAlternateFileName="ɛ⊺ĊҸɨԐɨH")) returned 0xffffffff [0105.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.497] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84ec7770, ftCreationTime.dwHighDateTime=0x1d5cf5f, ftLastAccessTime.dwLowDateTime=0xd7615860, ftLastAccessTime.dwHighDateTime=0x1d5d22d, ftLastWriteTime.dwLowDateTime=0xd7615860, ftLastWriteTime.dwHighDateTime=0x1d5d22d, nFileSizeHigh=0x0, nFileSizeLow=0x16cc6, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="nUqvejwX.docx", cAlternateFileName="NUQVEJ~1.DOC")) returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2=".") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="..") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="...") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="windows") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="$RECYCLE.BIN") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="rsa") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="NTDETECT.COM") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="ntldr") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="MSDOS.SYS") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="IO.SYS") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="boot.ini") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="AUTOEXEC.BAT") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="ntuser.dat") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="desktop.ini") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="CONFIG.SYS") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="RECYCLER") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="BOOTSECT.BAK") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="bootmgr") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="programdata") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="appdata") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="program files") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="program files (x86)") returned -1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="microsoft") returned 1 [0105.497] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="sophos") returned -1 [0105.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.497] PathFindExtensionW (pszPath="nUqvejwX.docx") returned=".docx" [0105.497] lstrcmpiW (lpString1=".docx", lpString2=".exe") returned -1 [0105.497] lstrcmpiW (lpString1=".docx", lpString2=".log") returned -1 [0105.497] lstrcmpiW (lpString1=".docx", lpString2=".cab") returned 1 [0105.497] lstrcmpiW (lpString1=".docx", lpString2=".cmd") returned 1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".com") returned 1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".cpl") returned 1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".ini") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".dll") returned 1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".url") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".ttf") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".mp3") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".pif") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".mp4") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".NEFILIM") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".msi") returned -1 [0105.498] lstrcmpiW (lpString1=".docx", lpString2=".lnk") returned -1 [0105.498] lstrcmpiW (lpString1="nUqvejwX.docx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.498] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\nUqvejwX.docx" (normalized: "c:\\users\\fd1hvy\\documents\\nuqvejwx.docx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.498] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=93382) returned 1 [0105.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.498] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.498] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.498] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.499] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.499] GetTickCount () returned 0x115b840 [0105.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0105.499] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0105.499] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16cc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.499] SetLastError (dwErrCode=0x0) [0105.499] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.500] GetLastError () returned 0x0 [0105.500] GetLastError () returned 0x0 [0105.500] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16dc6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.500] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.500] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16ec6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.500] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39df0faf, dwHighDateTime=0x1d5f971)) [0105.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0105.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.500] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.500] GetProcessHeap () returned 0xbc0000 [0105.500] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16cc6) returned 0xbf1630 [0105.500] GetSystemDefaultLangID () returned 0xbd0409 [0105.500] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.500] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x16cc6, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x16cc6, lpOverlapped=0x0) returned 1 [0105.505] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.505] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x16cc6, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x16cc6, lpOverlapped=0x0) returned 1 [0105.506] GetProcessHeap () returned 0xbc0000 [0105.506] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.506] CloseHandle (hObject=0x26c) returned 1 [0105.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.506] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0105.506] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\nUqvejwX.docx" (normalized: "c:\\users\\fd1hvy\\documents\\nuqvejwx.docx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\nUqvejwX.docx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\nuqvejwx.docx.nefilim")) returned 1 [0105.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.507] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x5ee892ad, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Outlook Files", cAlternateFileName="OUTLOO~1")) returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2=".") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="..") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="...") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="windows") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="$RECYCLE.BIN") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="rsa") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="NTDETECT.COM") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="ntldr") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="MSDOS.SYS") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="IO.SYS") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="boot.ini") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="AUTOEXEC.BAT") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="ntuser.dat") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="desktop.ini") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="CONFIG.SYS") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="RECYCLER") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="BOOTSECT.BAK") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="bootmgr") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="programdata") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="appdata") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="program files") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="program files (x86)") returned -1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="microsoft") returned 1 [0105.507] lstrcmpiW (lpString1="Outlook Files", lpString2="sophos") returned -1 [0105.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x268e2e8 [0105.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e368 [0105.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0105.507] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x29000029, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0105.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.508] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa73182d0, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0x5ee892ad, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680510, dwReserved1=0x29000029, cFileName="..", cAlternateFileName="")) returned 1 [0105.508] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.508] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.508] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x2680510, dwReserved1=0x29000029, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2=".") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="..") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="...") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="windows") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="$RECYCLE.BIN") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="rsa") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NTDETECT.COM") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ntldr") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="MSDOS.SYS") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="IO.SYS") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="boot.ini") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="AUTOEXEC.BAT") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="ntuser.dat") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="desktop.ini") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="CONFIG.SYS") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="RECYCLER") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="BOOTSECT.BAK") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="bootmgr") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="programdata") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="appdata") returned 1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="program files") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="program files (x86)") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="microsoft") returned -1 [0105.508] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="sophos") returned -1 [0105.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0105.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.509] PathFindExtensionW (pszPath="kkcie@kdj.kd.pst") returned=".pst" [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".exe") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".log") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".cab") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".cmd") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".com") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".cpl") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".ini") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".dll") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".url") returned -1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".ttf") returned -1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".mp3") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".pif") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".mp4") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".NEFILIM") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".msi") returned 1 [0105.509] lstrcmpiW (lpString1=".pst", lpString2=".lnk") returned 1 [0105.509] lstrcmpiW (lpString1="kkcie@kdj.kd.pst", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x2680520 [0105.509] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.509] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=271360) returned 1 [0105.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0105.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.509] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0105.509] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0105.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.509] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.510] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.510] GetTickCount () returned 0x115b850 [0105.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0105.510] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0105.510] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42400, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.510] SetLastError (dwErrCode=0x0) [0105.510] WriteFile (in: hFile=0x270, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.513] GetLastError () returned 0x0 [0105.513] GetLastError () returned 0x0 [0105.513] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42500, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.513] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.513] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x42600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.513] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x39e171a5, dwHighDateTime=0x1d5f971)) [0105.513] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be18 [0105.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0105.513] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.513] GetProcessHeap () returned 0xbc0000 [0105.513] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x42400) returned 0xbf2638 [0105.514] GetSystemDefaultLangID () returned 0xbd0409 [0105.514] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.514] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x42400, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x42400, lpOverlapped=0x0) returned 1 [0105.529] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.529] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x42400, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x42400, lpOverlapped=0x0) returned 1 [0105.530] GetProcessHeap () returned 0xbc0000 [0105.530] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.530] CloseHandle (hObject=0x270) returned 1 [0105.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0105.531] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Outlook Files\\kkcie@kdj.kd.pst.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\outlook files\\kkcie@kdj.kd.pst.nefilim")) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.531] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa736477a, ftCreationTime.dwHighDateTime=0x1d327c8, ftLastAccessTime.dwLowDateTime=0xa736477a, ftLastAccessTime.dwHighDateTime=0x1d327c8, ftLastWriteTime.dwLowDateTime=0x67d00605, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x42400, dwReserved0=0x2680510, dwReserved1=0x29000029, cFileName="kkcie@kdj.kd.pst", cAlternateFileName="KKCIE@~1.PST")) returned 0 [0105.531] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e368 | out: hHeap=0x2680000) returned 1 [0105.531] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe0764c60, ftCreationTime.dwHighDateTime=0x1d5e4f4, ftLastAccessTime.dwLowDateTime=0xdc754d00, ftLastAccessTime.dwHighDateTime=0x1d5e535, ftLastWriteTime.dwLowDateTime=0xdc754d00, ftLastWriteTime.dwHighDateTime=0x1d5e535, nFileSizeHigh=0x0, nFileSizeLow=0xcf05, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="PeG0v WvSO1omOojtz.xlsx", cAlternateFileName="PEG0VW~1.XLS")) returned 1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2=".") returned 1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="..") returned 1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="...") returned 1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="windows") returned -1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="rsa") returned -1 [0105.531] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="NTDETECT.COM") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="ntldr") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="MSDOS.SYS") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="IO.SYS") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="boot.ini") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="ntuser.dat") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="desktop.ini") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="CONFIG.SYS") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="RECYCLER") returned -1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="bootmgr") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="programdata") returned -1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="appdata") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="program files") returned -1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="program files (x86)") returned -1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="microsoft") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="sophos") returned -1 [0105.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e368 [0105.532] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.532] PathFindExtensionW (pszPath="PeG0v WvSO1omOojtz.xlsx") returned=".xlsx" [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.532] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.532] lstrcmpiW (lpString1="PeG0v WvSO1omOojtz.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0105.533] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\PeG0v WvSO1omOojtz.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\peg0v wvso1omoojtz.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.533] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=52997) returned 1 [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.533] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.533] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.533] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.533] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.533] GetTickCount () returned 0x115b85f [0105.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0105.533] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0105.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcf05, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.533] SetLastError (dwErrCode=0x0) [0105.533] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.534] GetLastError () returned 0x0 [0105.534] GetLastError () returned 0x0 [0105.534] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd005, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.534] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.535] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xd105, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.535] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x39e3d306, dwHighDateTime=0x1d5f971)) [0105.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.535] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.535] GetProcessHeap () returned 0xbc0000 [0105.535] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xcf05) returned 0xbf1630 [0105.535] GetSystemDefaultLangID () returned 0xbd0409 [0105.535] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.535] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xcf05, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xcf05, lpOverlapped=0x0) returned 1 [0105.715] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.715] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xcf05, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xcf05, lpOverlapped=0x0) returned 1 [0105.715] GetProcessHeap () returned 0xbc0000 [0105.716] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.716] CloseHandle (hObject=0x26c) returned 1 [0105.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.716] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.716] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0105.716] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\PeG0v WvSO1omOojtz.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\peg0v wvso1omoojtz.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\PeG0v WvSO1omOojtz.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\peg0v wvso1omoojtz.xlsx.nefilim")) returned 1 [0105.718] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.718] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.718] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82bb1400, ftCreationTime.dwHighDateTime=0x1d578e5, ftLastAccessTime.dwLowDateTime=0x1873fcc0, ftLastAccessTime.dwHighDateTime=0x1d5be85, ftLastWriteTime.dwLowDateTime=0x1873fcc0, ftLastWriteTime.dwHighDateTime=0x1d5be85, nFileSizeHigh=0x0, nFileSizeLow=0x7546, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="uvHaO.pptx", cAlternateFileName="UVHAO~1.PPT")) returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2=".") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="..") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="...") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="windows") returned -1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="$RECYCLE.BIN") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="rsa") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="NTDETECT.COM") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="ntldr") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="MSDOS.SYS") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="IO.SYS") returned 1 [0105.718] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="boot.ini") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="ntuser.dat") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="desktop.ini") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="CONFIG.SYS") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="RECYCLER") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="BOOTSECT.BAK") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="bootmgr") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="programdata") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="appdata") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="program files") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="program files (x86)") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="microsoft") returned 1 [0105.719] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="sophos") returned 1 [0105.719] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.719] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e368 | out: hHeap=0x2680000) returned 1 [0105.719] PathFindExtensionW (pszPath="uvHaO.pptx") returned=".pptx" [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0105.719] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.720] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.720] lstrcmpiW (lpString1="uvHaO.pptx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.720] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0105.720] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\uvHaO.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\uvhao.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.720] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=30022) returned 1 [0105.721] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.721] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0105.721] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.721] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0105.721] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0105.721] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.721] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.721] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.722] GetTickCount () returned 0x115b91b [0105.722] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0105.722] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0105.722] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7546, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.722] SetLastError (dwErrCode=0x0) [0105.722] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.724] GetLastError () returned 0x0 [0105.724] GetLastError () returned 0x0 [0105.724] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7646, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.724] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.724] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7746, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.724] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a02d0e8, dwHighDateTime=0x1d5f971)) [0105.724] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0105.724] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0105.724] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.724] GetProcessHeap () returned 0xbc0000 [0105.724] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7546) returned 0xbf1630 [0105.724] GetSystemDefaultLangID () returned 0xbd0409 [0105.724] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.724] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x7546, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x7546, lpOverlapped=0x0) returned 1 [0105.727] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.727] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x7546, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x7546, lpOverlapped=0x0) returned 1 [0105.728] GetProcessHeap () returned 0xbc0000 [0105.728] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.728] CloseHandle (hObject=0x26c) returned 1 [0105.728] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0105.728] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.728] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.728] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0105.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.728] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\uvHaO.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\uvhao.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\uvHaO.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\uvhao.pptx.nefilim")) returned 1 [0105.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.729] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.729] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96b28120, ftCreationTime.dwHighDateTime=0x1d585ea, ftLastAccessTime.dwLowDateTime=0x3095c010, ftLastAccessTime.dwHighDateTime=0x1d5c59f, ftLastWriteTime.dwLowDateTime=0x3095c010, ftLastWriteTime.dwHighDateTime=0x1d5c59f, nFileSizeHigh=0x0, nFileSizeLow=0x160e8, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="wFz6bIYS9.pptx", cAlternateFileName="WFZ6BI~1.PPT")) returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2=".") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="..") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="...") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="windows") returned -1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="$RECYCLE.BIN") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="rsa") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="NTDETECT.COM") returned 1 [0105.729] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="ntldr") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="MSDOS.SYS") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="IO.SYS") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="boot.ini") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="AUTOEXEC.BAT") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="ntuser.dat") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="desktop.ini") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="CONFIG.SYS") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="RECYCLER") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="BOOTSECT.BAK") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="bootmgr") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="programdata") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="appdata") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="program files") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="program files (x86)") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="microsoft") returned 1 [0105.730] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="sophos") returned 1 [0105.730] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0105.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.730] PathFindExtensionW (pszPath="wFz6bIYS9.pptx") returned=".pptx" [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".exe") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".log") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".cab") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".cmd") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".com") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".cpl") returned 1 [0105.730] lstrcmpiW (lpString1=".pptx", lpString2=".ini") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".dll") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".url") returned -1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".ttf") returned -1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".mp3") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".pif") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".mp4") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".NEFILIM") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".msi") returned 1 [0105.731] lstrcmpiW (lpString1=".pptx", lpString2=".lnk") returned 1 [0105.731] lstrcmpiW (lpString1="wFz6bIYS9.pptx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.731] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\wFz6bIYS9.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\wfz6biys9.pptx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.731] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=90344) returned 1 [0105.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.731] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.731] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.731] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.731] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.736] GetTickCount () returned 0x115b92b [0105.736] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0105.736] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0105.736] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x160e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.736] SetLastError (dwErrCode=0x0) [0105.736] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.740] GetLastError () returned 0x0 [0105.740] GetLastError () returned 0x0 [0105.740] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x161e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.740] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.740] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x162e8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.740] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a05344b, dwHighDateTime=0x1d5f971)) [0105.740] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3a8 [0105.740] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a8 | out: hHeap=0x2680000) returned 1 [0105.740] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.740] GetProcessHeap () returned 0xbc0000 [0105.740] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x160e8) returned 0xbf1630 [0105.741] GetSystemDefaultLangID () returned 0xbd0409 [0105.741] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.741] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x160e8, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x160e8, lpOverlapped=0x0) returned 1 [0105.746] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.746] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x160e8, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x160e8, lpOverlapped=0x0) returned 1 [0105.747] GetProcessHeap () returned 0xbc0000 [0105.747] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.747] CloseHandle (hObject=0x26c) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.747] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680520 [0105.747] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\wFz6bIYS9.pptx" (normalized: "c:\\users\\fd1hvy\\documents\\wfz6biys9.pptx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\wFz6bIYS9.pptx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\wfz6biys9.pptx.nefilim")) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.747] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.747] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xebfe81b0, ftCreationTime.dwHighDateTime=0x1d5b40c, ftLastAccessTime.dwLowDateTime=0xb38c7650, ftLastAccessTime.dwHighDateTime=0x1d5ec30, ftLastWriteTime.dwLowDateTime=0xb38c7650, ftLastWriteTime.dwHighDateTime=0x1d5ec30, nFileSizeHigh=0x0, nFileSizeLow=0x184b7, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="xDx_kUs.xlsx", cAlternateFileName="XDX_KU~1.XLS")) returned 1 [0105.747] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2=".") returned 1 [0105.747] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="..") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="...") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="windows") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="rsa") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="NTDETECT.COM") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="ntldr") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="MSDOS.SYS") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="IO.SYS") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="boot.ini") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="ntuser.dat") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="desktop.ini") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="CONFIG.SYS") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="RECYCLER") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="bootmgr") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="programdata") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="appdata") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="program files") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="program files (x86)") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="microsoft") returned 1 [0105.748] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="sophos") returned 1 [0105.748] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.748] PathFindExtensionW (pszPath="xDx_kUs.xlsx") returned=".xlsx" [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0105.748] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0105.749] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0105.749] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0105.749] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.749] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.749] lstrcmpiW (lpString1="xDx_kUs.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0105.749] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\xDx_kUs.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xdx_kus.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.749] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=99511) returned 1 [0105.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.749] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.749] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0105.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.749] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.749] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.749] GetTickCount () returned 0x115b93a [0105.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.750] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.750] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x184b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.750] SetLastError (dwErrCode=0x0) [0105.750] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.750] GetLastError () returned 0x0 [0105.750] GetLastError () returned 0x0 [0105.750] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x185b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.750] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.751] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x186b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.751] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a05344b, dwHighDateTime=0x1d5f971)) [0105.751] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0105.751] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0105.751] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.751] GetProcessHeap () returned 0xbc0000 [0105.751] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x184b7) returned 0xbf1630 [0105.751] GetSystemDefaultLangID () returned 0xbd0409 [0105.751] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.751] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x184b7, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x184b7, lpOverlapped=0x0) returned 1 [0105.812] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.812] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x184b7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x184b7, lpOverlapped=0x0) returned 1 [0105.813] GetProcessHeap () returned 0xbc0000 [0105.813] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.813] CloseHandle (hObject=0x26c) returned 1 [0105.813] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0105.813] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.813] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.813] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.813] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.813] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\xDx_kUs.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xdx_kus.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\xDx_kUs.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\xdx_kus.xlsx.nefilim")) returned 1 [0105.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.814] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502cda30, ftCreationTime.dwHighDateTime=0x1d58dc8, ftLastAccessTime.dwLowDateTime=0xdff94cf0, ftLastAccessTime.dwHighDateTime=0x1d58b8b, ftLastWriteTime.dwLowDateTime=0xdff94cf0, ftLastWriteTime.dwHighDateTime=0x1d58b8b, nFileSizeHigh=0x0, nFileSizeLow=0x12c2f, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Xu6Fgz-lmMUiK5Y.xlsx", cAlternateFileName="XU6FGZ~1.XLS")) returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2=".") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="..") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="...") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="windows") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="$RECYCLE.BIN") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="rsa") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="NTDETECT.COM") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="ntldr") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="MSDOS.SYS") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="IO.SYS") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="boot.ini") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="AUTOEXEC.BAT") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="ntuser.dat") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="desktop.ini") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="CONFIG.SYS") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="RECYCLER") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="BOOTSECT.BAK") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="bootmgr") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="programdata") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="appdata") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="program files") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="program files (x86)") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="microsoft") returned 1 [0105.814] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="sophos") returned 1 [0105.814] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0105.814] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.814] PathFindExtensionW (pszPath="Xu6Fgz-lmMUiK5Y.xlsx") returned=".xlsx" [0105.814] lstrcmpiW (lpString1=".xlsx", lpString2=".exe") returned 1 [0105.814] lstrcmpiW (lpString1=".xlsx", lpString2=".log") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".cab") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".cmd") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".com") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".cpl") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".ini") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".dll") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".url") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".ttf") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".mp3") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".pif") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".mp4") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".NEFILIM") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".msi") returned 1 [0105.815] lstrcmpiW (lpString1=".xlsx", lpString2=".lnk") returned 1 [0105.815] lstrcmpiW (lpString1="Xu6Fgz-lmMUiK5Y.xlsx", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0105.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.815] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\Xu6Fgz-lmMUiK5Y.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xu6fgz-lmmuik5y.xlsx"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.815] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=76847) returned 1 [0105.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.815] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.815] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.815] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.815] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.816] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.817] GetTickCount () returned 0x115b988 [0105.817] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0105.817] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0105.817] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12c2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.817] SetLastError (dwErrCode=0x0) [0105.817] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.818] GetLastError () returned 0x0 [0105.818] GetLastError () returned 0x0 [0105.818] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12d2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.818] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.818] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12e2f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.818] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a112092, dwHighDateTime=0x1d5f971)) [0105.818] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3a8 [0105.818] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a8 | out: hHeap=0x2680000) returned 1 [0105.818] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.819] GetProcessHeap () returned 0xbc0000 [0105.819] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12c2f) returned 0xbf1630 [0105.820] GetSystemDefaultLangID () returned 0xbd0409 [0105.820] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.820] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x12c2f, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x12c2f, lpOverlapped=0x0) returned 1 [0105.824] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.824] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x12c2f, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x12c2f, lpOverlapped=0x0) returned 1 [0105.824] GetProcessHeap () returned 0xbc0000 [0105.824] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.825] CloseHandle (hObject=0x26c) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.825] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680520 [0105.825] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\Xu6Fgz-lmMUiK5Y.xlsx" (normalized: "c:\\users\\fd1hvy\\documents\\xu6fgz-lmmuik5y.xlsx"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\Xu6Fgz-lmMUiK5Y.xlsx.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\xu6fgz-lmmuik5y.xlsx.nefilim")) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.825] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203e23b0, ftCreationTime.dwHighDateTime=0x1d5eb97, ftLastAccessTime.dwLowDateTime=0xc09d87e0, ftLastAccessTime.dwHighDateTime=0x1d5e18f, ftLastWriteTime.dwLowDateTime=0xc09d87e0, ftLastWriteTime.dwHighDateTime=0x1d5e18f, nFileSizeHigh=0x0, nFileSizeLow=0x4dd5, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="_csCFMT1pVO2OrwH.doc", cAlternateFileName="_CSCFM~1.DOC")) returned 1 [0105.825] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2=".") returned 1 [0105.825] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="..") returned 1 [0105.825] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="...") returned 1 [0105.825] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="windows") returned -1 [0105.825] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="$RECYCLE.BIN") returned 1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="rsa") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="NTDETECT.COM") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="ntldr") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="MSDOS.SYS") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="IO.SYS") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="boot.ini") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="AUTOEXEC.BAT") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="ntuser.dat") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="desktop.ini") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="CONFIG.SYS") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="RECYCLER") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="BOOTSECT.BAK") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="bootmgr") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="programdata") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="appdata") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="program files") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="program files (x86)") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="microsoft") returned -1 [0105.826] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="sophos") returned -1 [0105.826] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0105.826] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.826] PathFindExtensionW (pszPath="_csCFMT1pVO2OrwH.doc") returned=".doc" [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".exe") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".log") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".cab") returned 1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".cmd") returned 1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".com") returned 1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".cpl") returned 1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".ini") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".dll") returned 1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".url") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".ttf") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".mp3") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".pif") returned -1 [0105.826] lstrcmpiW (lpString1=".doc", lpString2=".mp4") returned -1 [0105.827] lstrcmpiW (lpString1=".doc", lpString2=".NEFILIM") returned -1 [0105.827] lstrcmpiW (lpString1=".doc", lpString2=".msi") returned -1 [0105.827] lstrcmpiW (lpString1=".doc", lpString2=".lnk") returned -1 [0105.827] lstrcmpiW (lpString1="_csCFMT1pVO2OrwH.doc", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0105.827] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Documents\\_csCFMT1pVO2OrwH.doc" (normalized: "c:\\users\\fd1hvy\\documents\\_cscfmt1pvo2orwh.doc"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0105.827] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=19925) returned 1 [0105.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0105.827] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.827] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0105.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0105.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.827] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0105.829] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0105.830] GetTickCount () returned 0x115b988 [0105.830] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0105.830] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0105.830] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4dd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.830] SetLastError (dwErrCode=0x0) [0105.830] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.831] GetLastError () returned 0x0 [0105.831] GetLastError () returned 0x0 [0105.831] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4ed5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.831] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0105.831] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4fd5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a112092, dwHighDateTime=0x1d5f971)) [0105.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0105.831] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.831] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0105.831] GetProcessHeap () returned 0xbc0000 [0105.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4dd5) returned 0xbf1630 [0105.831] GetSystemDefaultLangID () returned 0xbd0409 [0105.831] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.831] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x4dd5, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x4dd5, lpOverlapped=0x0) returned 1 [0105.833] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.833] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x4dd5, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x4dd5, lpOverlapped=0x0) returned 1 [0105.833] GetProcessHeap () returned 0xbc0000 [0105.833] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0105.833] CloseHandle (hObject=0x26c) returned 1 [0105.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0105.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0105.833] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0105.833] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Documents\\_csCFMT1pVO2OrwH.doc" (normalized: "c:\\users\\fd1hvy\\documents\\_cscfmt1pvo2orwh.doc"), lpNewFileName="C:\\Users\\FD1HVy\\Documents\\_csCFMT1pVO2OrwH.doc.NEFILIM" (normalized: "c:\\users\\fd1hvy\\documents\\_cscfmt1pvo2orwh.doc.nefilim")) returned 1 [0105.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.834] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x203e23b0, ftCreationTime.dwHighDateTime=0x1d5eb97, ftLastAccessTime.dwLowDateTime=0xc09d87e0, ftLastAccessTime.dwHighDateTime=0x1d5e18f, ftLastWriteTime.dwLowDateTime=0xc09d87e0, ftLastWriteTime.dwHighDateTime=0x1d5e18f, nFileSizeHigh=0x0, nFileSizeLow=0x4dd5, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="_csCFMT1pVO2OrwH.doc", cAlternateFileName="_CSCFM~1.DOC")) returned 0 [0105.834] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0105.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0105.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.834] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0105.834] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0105.835] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0105.835] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0105.835] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.835] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0105.835] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0105.835] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.835] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Downloads\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0105.835] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.835] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xa2dc870b, ftLastAccessTime.dwHighDateTime=0x1d5d80c, ftLastWriteTime.dwLowDateTime=0xa2dc870b, ftLastWriteTime.dwHighDateTime=0x1d5d80c, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.835] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.835] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.835] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.835] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.836] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.836] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0105.836] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0105.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0105.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.836] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Favorites", cAlternateFileName="FAVORI~1")) returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2=".") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="..") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="...") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="windows") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="$RECYCLE.BIN") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="rsa") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="NTDETECT.COM") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="ntldr") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="MSDOS.SYS") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="IO.SYS") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="boot.ini") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="AUTOEXEC.BAT") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="ntuser.dat") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="desktop.ini") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="CONFIG.SYS") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="RECYCLER") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="BOOTSECT.BAK") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="bootmgr") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="programdata") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="appdata") returned 1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="program files") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="program files (x86)") returned -1 [0105.836] lstrcmpiW (lpString1="Favorites", lpString2="microsoft") returned -1 [0105.837] lstrcmpiW (lpString1="Favorites", lpString2="sophos") returned -1 [0105.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0105.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0105.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0105.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.837] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0105.837] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.837] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd4499d75, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.837] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.837] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.837] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x43598c8e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43b9f870, ftLastAccessTime.dwHighDateTime=0x1d327ed, ftLastWriteTime.dwLowDateTime=0x43b9f870, ftLastWriteTime.dwHighDateTime=0x1d327ed, nFileSizeHigh=0x0, nFileSizeLow=0xd0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Bing.url", cAlternateFileName="")) returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2=".") returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="..") returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="...") returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="windows") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="$RECYCLE.BIN") returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="rsa") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="NTDETECT.COM") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="ntldr") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="MSDOS.SYS") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="IO.SYS") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="boot.ini") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="AUTOEXEC.BAT") returned 1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="ntuser.dat") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="desktop.ini") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="CONFIG.SYS") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="RECYCLER") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="BOOTSECT.BAK") returned -1 [0105.837] lstrcmpiW (lpString1="Bing.url", lpString2="bootmgr") returned -1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="programdata") returned -1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="appdata") returned 1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="program files") returned -1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="program files (x86)") returned -1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="microsoft") returned -1 [0105.838] lstrcmpiW (lpString1="Bing.url", lpString2="sophos") returned -1 [0105.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0105.838] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.838] PathFindExtensionW (pszPath="Bing.url") returned=".url" [0105.838] lstrcmpiW (lpString1=".url", lpString2=".exe") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".log") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".cab") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".cmd") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".com") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".cpl") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".ini") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".dll") returned 1 [0105.838] lstrcmpiW (lpString1=".url", lpString2=".url") returned 0 [0105.838] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x192, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.838] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.838] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Links", cAlternateFileName="")) returned 1 [0105.838] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0105.839] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0105.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0105.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x5e) returned 0x268e2e8 [0105.839] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.839] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0105.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e350 [0105.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.839] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Favorites\\Links\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0105.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.840] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="..", cAlternateFileName="")) returned 1 [0105.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.840] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.840] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.840] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4360b38e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4360b38e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x4360b38e, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x50, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0105.840] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0105.840] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x43087f08, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd449a79e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3be1eb23, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Links", cAlternateFileName="")) returned 0 [0105.840] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0105.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.841] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Links", cAlternateFileName="")) returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2=".") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="..") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="...") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="windows") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="$RECYCLE.BIN") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="rsa") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="NTDETECT.COM") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="ntldr") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="MSDOS.SYS") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="IO.SYS") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="boot.ini") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="AUTOEXEC.BAT") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="ntuser.dat") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="desktop.ini") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="CONFIG.SYS") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="RECYCLER") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="BOOTSECT.BAK") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="bootmgr") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="programdata") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="appdata") returned 1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="program files") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="program files (x86)") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="microsoft") returned -1 [0105.841] lstrcmpiW (lpString1="Links", lpString2="sophos") returned -1 [0105.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0105.841] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0105.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.841] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0105.841] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Links\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0105.842] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.842] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x9463e5c0, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.842] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.842] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.842] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcee4480b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.842] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.842] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4428f2bb, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4428f2bb, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce90d59d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f5, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Desktop.lnk", cAlternateFileName="")) returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2=".") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="..") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="...") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="windows") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="$RECYCLE.BIN") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="rsa") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="NTDETECT.COM") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntldr") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="MSDOS.SYS") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="IO.SYS") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="boot.ini") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="ntuser.dat") returned -1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="desktop.ini") returned 1 [0105.842] lstrcmpiW (lpString1="Desktop.lnk", lpString2="CONFIG.SYS") returned 1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="RECYCLER") returned -1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="BOOTSECT.BAK") returned 1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="bootmgr") returned 1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="programdata") returned -1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="appdata") returned 1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files") returned -1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="program files (x86)") returned -1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="microsoft") returned -1 [0105.843] lstrcmpiW (lpString1="Desktop.lnk", lpString2="sophos") returned -1 [0105.843] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0105.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.843] PathFindExtensionW (pszPath="Desktop.lnk") returned=".lnk" [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0105.843] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0105.843] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x442b54f3, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x442b54f3, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xcec7abde, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x3ae, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="Downloads.lnk", cAlternateFileName="DOWNLO~1.LNK")) returned 1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2=".") returned 1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="..") returned 1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="...") returned 1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="windows") returned -1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="$RECYCLE.BIN") returned 1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="rsa") returned -1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="NTDETECT.COM") returned -1 [0105.843] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntldr") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="MSDOS.SYS") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="IO.SYS") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="boot.ini") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="ntuser.dat") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="desktop.ini") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="CONFIG.SYS") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="RECYCLER") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="BOOTSECT.BAK") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="bootmgr") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="programdata") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="appdata") returned 1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="program files (x86)") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="microsoft") returned -1 [0105.844] lstrcmpiW (lpString1="Downloads.lnk", lpString2="sophos") returned -1 [0105.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.844] PathFindExtensionW (pszPath="Downloads.lnk") returned=".lnk" [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0105.844] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0105.844] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 1 [0105.844] lstrcmpiW (lpString1="OneDrive.lnk", lpString2=".") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="..") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="...") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="windows") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="$RECYCLE.BIN") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="rsa") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="NTDETECT.COM") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ntldr") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="MSDOS.SYS") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="IO.SYS") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="boot.ini") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="ntuser.dat") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="desktop.ini") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="CONFIG.SYS") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="RECYCLER") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="BOOTSECT.BAK") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="bootmgr") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="programdata") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="appdata") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="program files") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="program files (x86)") returned -1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="microsoft") returned 1 [0105.845] lstrcmpiW (lpString1="OneDrive.lnk", lpString2="sophos") returned -1 [0105.845] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.845] PathFindExtensionW (pszPath="OneDrive.lnk") returned=".lnk" [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0105.845] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0105.846] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0105.846] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0105.846] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0105.846] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0105.846] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0105.846] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1d327b5, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x53a, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="OneDrive.lnk", cAlternateFileName="")) returned 0 [0105.846] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0105.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0105.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0105.846] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Local Settings", cAlternateFileName="LOCALS~1")) returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2=".") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="..") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="...") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="windows") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="$RECYCLE.BIN") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="rsa") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="NTDETECT.COM") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="ntldr") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="MSDOS.SYS") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="IO.SYS") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="boot.ini") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="AUTOEXEC.BAT") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="ntuser.dat") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="desktop.ini") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="CONFIG.SYS") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="RECYCLER") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="BOOTSECT.BAK") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="bootmgr") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="programdata") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="appdata") returned 1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="program files") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="program files (x86)") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="microsoft") returned -1 [0105.846] lstrcmpiW (lpString1="Local Settings", lpString2="sophos") returned -1 [0105.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0105.847] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0105.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0105.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0105.847] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.847] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Local Settings\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3190fb5, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x9463e5c0, ftLastAccessTime.dwHighDateTime=0x1d39f5d, ftLastWriteTime.dwLowDateTime=0x94664823, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨᒸɨ>")) returned 0xffffffff [0105.847] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.847] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0105.847] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.847] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5637443, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5637443, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0105.847] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0105.920] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0105.920] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0105.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0105.920] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0105.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0105.920] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0105.920] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5637443, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5637443, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe27c8 [0105.920] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.920] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe5637443, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe5637443, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.920] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.920] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.920] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x4409f518, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x4409f518, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce3d633b, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0105.920] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0105.921] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0105.921] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12372090, ftCreationTime.dwHighDateTime=0x1d5eebd, ftLastAccessTime.dwLowDateTime=0x62a446b0, ftLastAccessTime.dwHighDateTime=0x1d5ec11, ftLastWriteTime.dwLowDateTime=0x62a446b0, ftLastWriteTime.dwHighDateTime=0x1d5ec11, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="EM D0wDWF", cAlternateFileName="EMD0WD~1")) returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2=".") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="..") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="...") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="windows") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="$RECYCLE.BIN") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="rsa") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="NTDETECT.COM") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="ntldr") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="MSDOS.SYS") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="IO.SYS") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="boot.ini") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="AUTOEXEC.BAT") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="ntuser.dat") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="desktop.ini") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="CONFIG.SYS") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="RECYCLER") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="BOOTSECT.BAK") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="bootmgr") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="programdata") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="appdata") returned 1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="program files") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="program files (x86)") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="microsoft") returned -1 [0105.921] lstrcmpiW (lpString1="EM D0wDWF", lpString2="sophos") returned -1 [0105.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0105.921] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x5e) returned 0x26804b8 [0105.921] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.921] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0105.922] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0105.922] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0105.922] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.922] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\EM D0wDWF\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12372090, ftCreationTime.dwHighDateTime=0x1d5eebd, ftLastAccessTime.dwLowDateTime=0x62a446b0, ftLastAccessTime.dwHighDateTime=0x1d5ec11, ftLastWriteTime.dwLowDateTime=0x62a446b0, ftLastWriteTime.dwHighDateTime=0x1d5ec11, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0105.922] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.922] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x12372090, ftCreationTime.dwHighDateTime=0x1d5eebd, ftLastAccessTime.dwLowDateTime=0x62a446b0, ftLastAccessTime.dwHighDateTime=0x1d5ec11, ftLastWriteTime.dwLowDateTime=0x62a446b0, ftLastWriteTime.dwHighDateTime=0x1d5ec11, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.922] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.922] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.922] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7785f900, ftCreationTime.dwHighDateTime=0x1d5f0a0, ftLastAccessTime.dwLowDateTime=0x4dcbc610, ftLastAccessTime.dwHighDateTime=0x1d5ea49, ftLastWriteTime.dwLowDateTime=0x4dcbc610, ftLastWriteTime.dwHighDateTime=0x1d5ea49, nFileSizeHigh=0x0, nFileSizeLow=0x4e46, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="lgcf8MPv6pt.wav", cAlternateFileName="LGCF8M~1.WAV")) returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2=".") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="..") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="...") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="windows") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="$RECYCLE.BIN") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="rsa") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="NTDETECT.COM") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="ntldr") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="MSDOS.SYS") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="IO.SYS") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="boot.ini") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="AUTOEXEC.BAT") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="ntuser.dat") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="desktop.ini") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="CONFIG.SYS") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="RECYCLER") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="BOOTSECT.BAK") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="bootmgr") returned 1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="programdata") returned -1 [0105.922] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="appdata") returned 1 [0105.923] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="program files") returned -1 [0105.923] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="program files (x86)") returned -1 [0105.923] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="microsoft") returned -1 [0105.923] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="sophos") returned -1 [0105.923] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0105.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.923] PathFindExtensionW (pszPath="lgcf8MPv6pt.wav") returned=".wav" [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0105.923] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0105.923] lstrcmpiW (lpString1="lgcf8MPv6pt.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.923] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0105.923] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\EM D0wDWF\\lgcf8MPv6pt.wav" (normalized: "c:\\users\\fd1hvy\\music\\em d0wdwf\\lgcf8mpv6pt.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.923] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=20038) returned 1 [0105.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.924] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.924] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0105.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0105.924] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.924] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.924] GetTickCount () returned 0x115b9e6 [0105.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0105.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0105.924] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4e46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.924] SetLastError (dwErrCode=0x0) [0105.924] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.925] GetLastError () returned 0x0 [0105.925] GetLastError () returned 0x0 [0105.925] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4f46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.925] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.926] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x5046, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.926] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a1f6f0d, dwHighDateTime=0x1d5f971)) [0105.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0105.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0105.926] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.926] GetProcessHeap () returned 0xbc0000 [0105.926] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4e46) returned 0xbf2638 [0105.926] GetSystemDefaultLangID () returned 0xbd0409 [0105.926] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.926] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4e46, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4e46, lpOverlapped=0x0) returned 1 [0105.927] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.927] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4e46, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4e46, lpOverlapped=0x0) returned 1 [0105.927] GetProcessHeap () returned 0xbc0000 [0105.927] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.927] CloseHandle (hObject=0x270) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0105.928] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\EM D0wDWF\\lgcf8MPv6pt.wav" (normalized: "c:\\users\\fd1hvy\\music\\em d0wdwf\\lgcf8mpv6pt.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\EM D0wDWF\\lgcf8MPv6pt.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\em d0wdwf\\lgcf8mpv6pt.wav.nefilim")) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.928] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7785f900, ftCreationTime.dwHighDateTime=0x1d5f0a0, ftLastAccessTime.dwLowDateTime=0x4dcbc610, ftLastAccessTime.dwHighDateTime=0x1d5ea49, ftLastWriteTime.dwLowDateTime=0x4dcbc610, ftLastWriteTime.dwHighDateTime=0x1d5ea49, nFileSizeHigh=0x0, nFileSizeLow=0x4e46, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="lgcf8MPv6pt.wav", cAlternateFileName="LGCF8M~1.WAV")) returned 0 [0105.928] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0105.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.929] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6d435bb0, ftCreationTime.dwHighDateTime=0x1d5f0b7, ftLastAccessTime.dwLowDateTime=0x2f3c8b40, ftLastAccessTime.dwHighDateTime=0x1d5e3f4, ftLastWriteTime.dwLowDateTime=0x2f3c8b40, ftLastWriteTime.dwHighDateTime=0x1d5e3f4, nFileSizeHigh=0x0, nFileSizeLow=0x18f5e, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="qiAeW0drhBh_.mp3", cAlternateFileName="QIAEW0~1.MP3")) returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2=".") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="..") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="...") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="windows") returned -1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="$RECYCLE.BIN") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="rsa") returned -1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="NTDETECT.COM") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="ntldr") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="MSDOS.SYS") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="IO.SYS") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="boot.ini") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="ntuser.dat") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="desktop.ini") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="CONFIG.SYS") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="RECYCLER") returned -1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="BOOTSECT.BAK") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="bootmgr") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="programdata") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="appdata") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="program files") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="program files (x86)") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="microsoft") returned 1 [0105.929] lstrcmpiW (lpString1="qiAeW0drhBh_.mp3", lpString2="sophos") returned -1 [0105.929] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0105.929] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0105.929] PathFindExtensionW (pszPath="qiAeW0drhBh_.mp3") returned=".mp3" [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0105.929] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0105.930] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0105.930] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0105.930] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0105.930] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b48d30, ftCreationTime.dwHighDateTime=0x1d5ec78, ftLastAccessTime.dwLowDateTime=0xd9b47a0, ftLastAccessTime.dwHighDateTime=0x1d5e8e6, ftLastWriteTime.dwLowDateTime=0xd9b47a0, ftLastWriteTime.dwHighDateTime=0x1d5e8e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="s 2k1PnFlkUHh", cAlternateFileName="S2K1PN~1")) returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2=".") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="..") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="...") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="windows") returned -1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="$RECYCLE.BIN") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="rsa") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="NTDETECT.COM") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="ntldr") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="MSDOS.SYS") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="IO.SYS") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="boot.ini") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="AUTOEXEC.BAT") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="ntuser.dat") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="desktop.ini") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="CONFIG.SYS") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="RECYCLER") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="BOOTSECT.BAK") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="bootmgr") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="programdata") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="appdata") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="program files") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="program files (x86)") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="microsoft") returned 1 [0105.930] lstrcmpiW (lpString1="s 2k1PnFlkUHh", lpString2="sophos") returned -1 [0105.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0105.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0105.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0105.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0105.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0105.930] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b48d30, ftCreationTime.dwHighDateTime=0x1d5ec78, ftLastAccessTime.dwLowDateTime=0xd9b47a0, ftLastAccessTime.dwHighDateTime=0x1d5e8e6, ftLastWriteTime.dwLowDateTime=0xd9b47a0, ftLastWriteTime.dwHighDateTime=0x1d5e8e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2808 [0105.931] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.931] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf1b48d30, ftCreationTime.dwHighDateTime=0x1d5ec78, ftLastAccessTime.dwLowDateTime=0xd9b47a0, ftLastAccessTime.dwHighDateTime=0x1d5e8e6, ftLastWriteTime.dwLowDateTime=0xd9b47a0, ftLastWriteTime.dwHighDateTime=0x1d5e8e6, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0105.931] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.931] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.931] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe07636b0, ftCreationTime.dwHighDateTime=0x1d5ee47, ftLastAccessTime.dwLowDateTime=0x97a14200, ftLastAccessTime.dwHighDateTime=0x1d5e9c3, ftLastWriteTime.dwLowDateTime=0x97a14200, ftLastWriteTime.dwHighDateTime=0x1d5e9c3, nFileSizeHigh=0x0, nFileSizeLow=0x1518e, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="EfJVTfpUQzge7t.wav", cAlternateFileName="EFJVTF~1.WAV")) returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2=".") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="..") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="...") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="windows") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="$RECYCLE.BIN") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="rsa") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="NTDETECT.COM") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="ntldr") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="MSDOS.SYS") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="IO.SYS") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="boot.ini") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="AUTOEXEC.BAT") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="ntuser.dat") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="desktop.ini") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="CONFIG.SYS") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="RECYCLER") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="BOOTSECT.BAK") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="bootmgr") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="programdata") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="appdata") returned 1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="program files") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="program files (x86)") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="microsoft") returned -1 [0105.931] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="sophos") returned -1 [0105.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0105.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.931] PathFindExtensionW (pszPath="EfJVTfpUQzge7t.wav") returned=".wav" [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0105.932] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0105.932] lstrcmpiW (lpString1="EfJVTfpUQzge7t.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0105.932] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\EfJVTfpUQzge7t.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\efjvtfpuqzge7t.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0105.932] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=86414) returned 1 [0105.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.932] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.932] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0105.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.932] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0105.933] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0105.934] GetTickCount () returned 0x115b9f6 [0105.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0105.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0105.934] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1518e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.934] SetLastError (dwErrCode=0x0) [0105.934] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.935] GetLastError () returned 0x0 [0105.935] GetLastError () returned 0x0 [0105.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1528e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.935] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0105.935] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1538e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.935] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a21d213, dwHighDateTime=0x1d5f971)) [0105.935] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0105.935] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0105.935] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0105.935] GetProcessHeap () returned 0xbc0000 [0105.935] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1518e) returned 0xbf2638 [0105.936] GetSystemDefaultLangID () returned 0xbd0409 [0105.937] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.937] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1518e, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1518e, lpOverlapped=0x0) returned 1 [0105.942] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.942] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1518e, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1518e, lpOverlapped=0x0) returned 1 [0105.942] GetProcessHeap () returned 0xbc0000 [0105.942] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0105.942] CloseHandle (hObject=0x270) returned 1 [0105.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0105.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0105.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0105.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.942] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0105.942] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\EfJVTfpUQzge7t.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\efjvtfpuqzge7t.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\EfJVTfpUQzge7t.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\efjvtfpuqzge7t.wav.nefilim")) returned 1 [0105.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0105.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0105.943] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56f77e60, ftCreationTime.dwHighDateTime=0x1d5f083, ftLastAccessTime.dwLowDateTime=0xbdbda1d0, ftLastAccessTime.dwHighDateTime=0x1d5e663, ftLastWriteTime.dwLowDateTime=0xbdbda1d0, ftLastWriteTime.dwHighDateTime=0x1d5e663, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Fw_6g7", cAlternateFileName="")) returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2=".") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="..") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="...") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="windows") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="$RECYCLE.BIN") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="rsa") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="NTDETECT.COM") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="ntldr") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="MSDOS.SYS") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="IO.SYS") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="boot.ini") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="AUTOEXEC.BAT") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="ntuser.dat") returned -1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="desktop.ini") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="CONFIG.SYS") returned 1 [0105.943] lstrcmpiW (lpString1="Fw_6g7", lpString2="RECYCLER") returned -1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="BOOTSECT.BAK") returned 1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="bootmgr") returned 1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="programdata") returned -1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="appdata") returned 1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="program files") returned -1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="program files (x86)") returned -1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="microsoft") returned -1 [0105.944] lstrcmpiW (lpString1="Fw_6g7", lpString2="sophos") returned -1 [0105.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0105.944] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0105.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0105.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be60 [0105.944] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0105.944] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56f77e60, ftCreationTime.dwHighDateTime=0x1d5f083, ftLastAccessTime.dwLowDateTime=0xbdbda1d0, ftLastAccessTime.dwHighDateTime=0x1d5e663, ftLastWriteTime.dwLowDateTime=0xbdbda1d0, ftLastWriteTime.dwHighDateTime=0x1d5e663, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0105.944] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0105.944] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x56f77e60, ftCreationTime.dwHighDateTime=0x1d5f083, ftLastAccessTime.dwLowDateTime=0xbdbda1d0, ftLastAccessTime.dwHighDateTime=0x1d5e663, ftLastWriteTime.dwLowDateTime=0xbdbda1d0, ftLastWriteTime.dwHighDateTime=0x1d5e663, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0105.944] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0105.944] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0105.944] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63e1a810, ftCreationTime.dwHighDateTime=0x1d5e784, ftLastAccessTime.dwLowDateTime=0x57cfb5b0, ftLastAccessTime.dwHighDateTime=0x1d5e9cf, ftLastWriteTime.dwLowDateTime=0x57cfb5b0, ftLastWriteTime.dwHighDateTime=0x1d5e9cf, nFileSizeHigh=0x0, nFileSizeLow=0x750f, dwReserved0=0x268bd90, dwReserved1=0x4000000, cFileName="38veH38LWRrOOBADhf.wav", cAlternateFileName="38VEH3~1.WAV")) returned 1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2=".") returned 1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="..") returned 1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="...") returned 1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="windows") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="$RECYCLE.BIN") returned 1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="rsa") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="NTDETECT.COM") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="ntldr") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="MSDOS.SYS") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="IO.SYS") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="boot.ini") returned -1 [0105.944] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="AUTOEXEC.BAT") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="ntuser.dat") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="desktop.ini") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="CONFIG.SYS") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="RECYCLER") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="BOOTSECT.BAK") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="bootmgr") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="programdata") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="appdata") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="program files") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="program files (x86)") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="microsoft") returned -1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="sophos") returned -1 [0105.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e350 [0105.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0105.945] PathFindExtensionW (pszPath="38veH38LWRrOOBADhf.wav") returned=".wav" [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0105.945] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0105.945] lstrcmpiW (lpString1="38veH38LWRrOOBADhf.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0105.945] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\38veH38LWRrOOBADhf.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\38veh38lwrroobadhf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.946] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=29967) returned 1 [0105.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0105.946] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.946] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0105.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0105.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0105.946] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.946] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.946] GetTickCount () returned 0x115ba05 [0105.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0105.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0105.946] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x750f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.946] SetLastError (dwErrCode=0x0) [0105.946] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.947] GetLastError () returned 0x0 [0105.947] GetLastError () returned 0x0 [0105.947] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x760f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.947] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.947] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x770f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.947] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a2433ad, dwHighDateTime=0x1d5f971)) [0105.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0105.948] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0105.948] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.948] GetProcessHeap () returned 0xbc0000 [0105.948] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x750f) returned 0xbf3640 [0105.948] GetSystemDefaultLangID () returned 0xbd0409 [0105.948] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.948] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x750f, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x750f, lpOverlapped=0x0) returned 1 [0105.949] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.949] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x750f, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x750f, lpOverlapped=0x0) returned 1 [0105.949] GetProcessHeap () returned 0xbc0000 [0105.949] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0105.951] CloseHandle (hObject=0x274) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0105.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268e898 [0105.951] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\38veH38LWRrOOBADhf.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\38veh38lwrroobadhf.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\38veH38LWRrOOBADhf.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\38veh38lwrroobadhf.wav.nefilim")) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e898 | out: hHeap=0x2680000) returned 1 [0105.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0105.952] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c2f16b0, ftCreationTime.dwHighDateTime=0x1d5ef85, ftLastAccessTime.dwLowDateTime=0x95354e60, ftLastAccessTime.dwHighDateTime=0x1d5eab0, ftLastWriteTime.dwLowDateTime=0x95354e60, ftLastWriteTime.dwHighDateTime=0x1d5eab0, nFileSizeHigh=0x0, nFileSizeLow=0x1147c, dwReserved0=0x268bd90, dwReserved1=0x4000000, cFileName="4Z9R.wav", cAlternateFileName="")) returned 1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2=".") returned 1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="..") returned 1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="...") returned 1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="windows") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="$RECYCLE.BIN") returned 1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="rsa") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="NTDETECT.COM") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="ntldr") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="MSDOS.SYS") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="IO.SYS") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="boot.ini") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="AUTOEXEC.BAT") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="ntuser.dat") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="desktop.ini") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="CONFIG.SYS") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="RECYCLER") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="BOOTSECT.BAK") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="bootmgr") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="programdata") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="appdata") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="program files") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="program files (x86)") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="microsoft") returned -1 [0105.952] lstrcmpiW (lpString1="4Z9R.wav", lpString2="sophos") returned -1 [0105.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0105.952] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0105.952] PathFindExtensionW (pszPath="4Z9R.wav") returned=".wav" [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0105.952] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0105.953] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0105.953] lstrcmpiW (lpString1="4Z9R.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0105.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0105.953] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\4Z9R.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\4z9r.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0105.953] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=70780) returned 1 [0105.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0105.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0105.953] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0105.953] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0105.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0105.953] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0105.953] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be478*=0x100) returned 1 [0105.955] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0105.955] GetTickCount () returned 0x115ba05 [0105.955] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0105.955] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0105.955] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1147c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.955] SetLastError (dwErrCode=0x0) [0105.955] WriteFile (in: hFile=0x274, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.956] GetLastError () returned 0x0 [0105.956] GetLastError () returned 0x0 [0105.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1157c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.956] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0105.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1167c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.956] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a2433ad, dwHighDateTime=0x1d5f971)) [0105.956] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0105.956] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0105.956] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0105.956] GetProcessHeap () returned 0xbc0000 [0105.956] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1147c) returned 0xbf3640 [0105.956] GetSystemDefaultLangID () returned 0xbd0409 [0105.956] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0105.956] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x1147c, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x1147c, lpOverlapped=0x0) returned 1 [0106.043] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.043] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x1147c, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x1147c, lpOverlapped=0x0) returned 1 [0106.043] GetProcessHeap () returned 0xbc0000 [0106.044] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.044] CloseHandle (hObject=0x274) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.044] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0106.044] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\4Z9R.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\4z9r.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Fw_6g7\\4Z9R.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\fw_6g7\\4z9r.wav.nefilim")) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.044] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.044] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2c2f16b0, ftCreationTime.dwHighDateTime=0x1d5ef85, ftLastAccessTime.dwLowDateTime=0x95354e60, ftLastAccessTime.dwHighDateTime=0x1d5eab0, ftLastWriteTime.dwLowDateTime=0x95354e60, ftLastWriteTime.dwHighDateTime=0x1d5eab0, nFileSizeHigh=0x0, nFileSizeLow=0x1147c, dwReserved0=0x268bd90, dwReserved1=0x4000000, cFileName="4Z9R.wav", cAlternateFileName="")) returned 0 [0106.045] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0106.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0106.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0106.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0106.045] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfec21da0, ftCreationTime.dwHighDateTime=0x1d5ec9e, ftLastAccessTime.dwLowDateTime=0x8903c960, ftLastAccessTime.dwHighDateTime=0x1d5ede8, ftLastWriteTime.dwLowDateTime=0x8903c960, ftLastWriteTime.dwHighDateTime=0x1d5ede8, nFileSizeHigh=0x0, nFileSizeLow=0x14f17, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="K1jOmt27CqtG.m4a", cAlternateFileName="K1JOMT~1.M4A")) returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2=".") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="..") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="...") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="windows") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="rsa") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="NTDETECT.COM") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="ntldr") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="MSDOS.SYS") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="IO.SYS") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="boot.ini") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="ntuser.dat") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="desktop.ini") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="CONFIG.SYS") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="RECYCLER") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="bootmgr") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="programdata") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="appdata") returned 1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="program files") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="program files (x86)") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="microsoft") returned -1 [0106.045] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="sophos") returned -1 [0106.045] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0106.045] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.045] PathFindExtensionW (pszPath="K1jOmt27CqtG.m4a") returned=".m4a" [0106.045] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.045] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.045] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.046] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.046] lstrcmpiW (lpString1="K1jOmt27CqtG.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0106.046] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\K1jOmt27CqtG.m4a" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\k1jomt27cqtg.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.046] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=85783) returned 1 [0106.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.046] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.046] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0106.046] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0106.046] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.047] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.047] GetTickCount () returned 0x115ba63 [0106.047] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.047] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.047] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14f17, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.047] SetLastError (dwErrCode=0x0) [0106.047] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.048] GetLastError () returned 0x0 [0106.048] GetLastError () returned 0x0 [0106.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15017, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.048] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15117, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.048] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a32824b, dwHighDateTime=0x1d5f971)) [0106.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0106.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0106.048] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.048] GetProcessHeap () returned 0xbc0000 [0106.048] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14f17) returned 0xbf2638 [0106.048] GetSystemDefaultLangID () returned 0xbd0409 [0106.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.048] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x14f17, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x14f17, lpOverlapped=0x0) returned 1 [0106.053] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.053] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x14f17, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x14f17, lpOverlapped=0x0) returned 1 [0106.053] GetProcessHeap () returned 0xbc0000 [0106.053] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.053] CloseHandle (hObject=0x270) returned 1 [0106.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0106.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0106.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.053] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0106.053] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\K1jOmt27CqtG.m4a" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\k1jomt27cqtg.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\K1jOmt27CqtG.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\k1jomt27cqtg.m4a.nefilim")) returned 1 [0106.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.054] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x57302d10, ftCreationTime.dwHighDateTime=0x1d5e72c, ftLastAccessTime.dwLowDateTime=0x3e8068e0, ftLastAccessTime.dwHighDateTime=0x1d5ea4a, ftLastWriteTime.dwLowDateTime=0x3e8068e0, ftLastWriteTime.dwHighDateTime=0x1d5ea4a, nFileSizeHigh=0x0, nFileSizeLow=0x3b75, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="mj9KK2AVEgxCb.wav", cAlternateFileName="MJ9KK2~1.WAV")) returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2=".") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="..") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="...") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="windows") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="$RECYCLE.BIN") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="rsa") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="NTDETECT.COM") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="ntldr") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="MSDOS.SYS") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="IO.SYS") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="boot.ini") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="AUTOEXEC.BAT") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="ntuser.dat") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="desktop.ini") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="CONFIG.SYS") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="RECYCLER") returned -1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="BOOTSECT.BAK") returned 1 [0106.054] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="bootmgr") returned 1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="programdata") returned -1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="appdata") returned 1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="program files") returned -1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="program files (x86)") returned -1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="microsoft") returned 1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="sophos") returned -1 [0106.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0106.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0106.055] PathFindExtensionW (pszPath="mj9KK2AVEgxCb.wav") returned=".wav" [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0106.055] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0106.055] lstrcmpiW (lpString1="mj9KK2AVEgxCb.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0106.055] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\mj9KK2AVEgxCb.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\mj9kk2avegxcb.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.055] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=15221) returned 1 [0106.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0106.056] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.056] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0106.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0106.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0106.056] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.056] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.057] GetTickCount () returned 0x115ba73 [0106.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0106.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0106.058] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3b75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.058] SetLastError (dwErrCode=0x0) [0106.058] WriteFile (in: hFile=0x270, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.058] GetLastError () returned 0x0 [0106.058] GetLastError () returned 0x0 [0106.058] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3c75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.058] WriteFile (in: hFile=0x270, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.059] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3d75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.059] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a34e665, dwHighDateTime=0x1d5f971)) [0106.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0106.059] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0106.059] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.059] GetProcessHeap () returned 0xbc0000 [0106.059] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3b75) returned 0xbf2638 [0106.060] GetSystemDefaultLangID () returned 0xbd0409 [0106.060] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.060] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3b75, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3b75, lpOverlapped=0x0) returned 1 [0106.061] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.061] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3b75, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3b75, lpOverlapped=0x0) returned 1 [0106.061] GetProcessHeap () returned 0xbc0000 [0106.061] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.061] CloseHandle (hObject=0x270) returned 1 [0106.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0106.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0106.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0106.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.061] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\mj9KK2AVEgxCb.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\mj9kk2avegxcb.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\mj9KK2AVEgxCb.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\mj9kk2avegxcb.wav.nefilim")) returned 1 [0106.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.062] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2478a7d0, ftCreationTime.dwHighDateTime=0x1d5eb91, ftLastAccessTime.dwLowDateTime=0x1799fc30, ftLastAccessTime.dwHighDateTime=0x1d5ef74, ftLastWriteTime.dwLowDateTime=0x1799fc30, ftLastWriteTime.dwHighDateTime=0x1d5ef74, nFileSizeHigh=0x0, nFileSizeLow=0x12443, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="rWGB48U5-U.m4a", cAlternateFileName="RWGB48~1.M4A")) returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2=".") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="..") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="...") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="windows") returned -1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="rsa") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="NTDETECT.COM") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="ntldr") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="MSDOS.SYS") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="IO.SYS") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="boot.ini") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="ntuser.dat") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="desktop.ini") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="CONFIG.SYS") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="RECYCLER") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="bootmgr") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="programdata") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="appdata") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="program files") returned 1 [0106.062] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="program files (x86)") returned 1 [0106.063] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="microsoft") returned 1 [0106.063] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="sophos") returned -1 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0106.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.063] PathFindExtensionW (pszPath="rWGB48U5-U.m4a") returned=".m4a" [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.063] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.063] lstrcmpiW (lpString1="rWGB48U5-U.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0106.063] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\rWGB48U5-U.m4a" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\rwgb48u5-u.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.063] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=74819) returned 1 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.063] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.063] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0106.064] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.065] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.066] GetTickCount () returned 0x115ba82 [0106.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0106.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0106.067] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12443, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.067] SetLastError (dwErrCode=0x0) [0106.067] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.067] GetLastError () returned 0x0 [0106.067] GetLastError () returned 0x0 [0106.067] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12543, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.068] WriteFile (in: hFile=0x270, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.068] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12643, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.068] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a37485a, dwHighDateTime=0x1d5f971)) [0106.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0106.068] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0106.068] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.068] GetProcessHeap () returned 0xbc0000 [0106.068] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12443) returned 0xbf2638 [0106.068] GetSystemDefaultLangID () returned 0xbd0409 [0106.068] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.068] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x12443, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x12443, lpOverlapped=0x0) returned 1 [0106.072] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.072] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x12443, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x12443, lpOverlapped=0x0) returned 1 [0106.072] GetProcessHeap () returned 0xbc0000 [0106.072] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.072] CloseHandle (hObject=0x270) returned 1 [0106.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0106.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0106.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0106.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.073] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\rWGB48U5-U.m4a" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\rwgb48u5-u.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\rWGB48U5-U.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\rwgb48u5-u.m4a.nefilim")) returned 1 [0106.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.073] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa75bd6b0, ftCreationTime.dwHighDateTime=0x1d5e84c, ftLastAccessTime.dwLowDateTime=0x487207f0, ftLastAccessTime.dwHighDateTime=0x1d5ea9f, ftLastWriteTime.dwLowDateTime=0x487207f0, ftLastWriteTime.dwHighDateTime=0x1d5ea9f, nFileSizeHigh=0x0, nFileSizeLow=0xa0c1, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="Ylt-Cl9YGBVYZsANey.wav", cAlternateFileName="YLT-CL~1.WAV")) returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2=".") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="..") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="...") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="windows") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="$RECYCLE.BIN") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="rsa") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="NTDETECT.COM") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="ntldr") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="MSDOS.SYS") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="IO.SYS") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="boot.ini") returned 1 [0106.073] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="AUTOEXEC.BAT") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="ntuser.dat") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="desktop.ini") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="CONFIG.SYS") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="RECYCLER") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="BOOTSECT.BAK") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="bootmgr") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="programdata") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="appdata") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="program files") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="program files (x86)") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="microsoft") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="sophos") returned 1 [0106.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.074] PathFindExtensionW (pszPath="Ylt-Cl9YGBVYZsANey.wav") returned=".wav" [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0106.074] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0106.074] lstrcmpiW (lpString1="Ylt-Cl9YGBVYZsANey.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0106.074] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Ylt-Cl9YGBVYZsANey.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\ylt-cl9ygbvyzsaney.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.075] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=41153) returned 1 [0106.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.075] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.075] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.075] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.075] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.075] GetTickCount () returned 0x115ba82 [0106.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0106.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0106.075] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa0c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.075] SetLastError (dwErrCode=0x0) [0106.075] WriteFile (in: hFile=0x270, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.076] GetLastError () returned 0x0 [0106.076] GetLastError () returned 0x0 [0106.076] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa1c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.076] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.076] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa2c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.076] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a37485a, dwHighDateTime=0x1d5f971)) [0106.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0106.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0106.076] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.077] GetProcessHeap () returned 0xbc0000 [0106.077] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa0c1) returned 0xbf2638 [0106.077] GetSystemDefaultLangID () returned 0xbd0409 [0106.077] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.077] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xa0c1, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xa0c1, lpOverlapped=0x0) returned 1 [0106.079] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.079] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xa0c1, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xa0c1, lpOverlapped=0x0) returned 1 [0106.079] GetProcessHeap () returned 0xbc0000 [0106.079] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.079] CloseHandle (hObject=0x270) returned 1 [0106.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0106.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0106.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e2e8 [0106.079] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Ylt-Cl9YGBVYZsANey.wav" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\ylt-cl9ygbvyzsaney.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\s 2k1PnFlkUHh\\Ylt-Cl9YGBVYZsANey.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\s 2k1pnflkuhh\\ylt-cl9ygbvyzsaney.wav.nefilim")) returned 1 [0106.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.080] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaa2f980, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0xa1285510, ftLastAccessTime.dwHighDateTime=0x1d5e7cb, ftLastWriteTime.dwLowDateTime=0xa1285510, ftLastWriteTime.dwHighDateTime=0x1d5e7cb, nFileSizeHigh=0x0, nFileSizeLow=0xd704, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="yVvXhTdhNsdTeR9Fp.mp3", cAlternateFileName="YVVXHT~1.MP3")) returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2=".") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="..") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="...") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="windows") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="rsa") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="NTDETECT.COM") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="ntldr") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="MSDOS.SYS") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="IO.SYS") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="boot.ini") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="ntuser.dat") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="desktop.ini") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="CONFIG.SYS") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="RECYCLER") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="bootmgr") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="programdata") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="appdata") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="program files") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="program files (x86)") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="microsoft") returned 1 [0106.080] lstrcmpiW (lpString1="yVvXhTdhNsdTeR9Fp.mp3", lpString2="sophos") returned 1 [0106.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be18 [0106.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.081] PathFindExtensionW (pszPath="yVvXhTdhNsdTeR9Fp.mp3") returned=".mp3" [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.081] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.081] FindNextFileW (in: hFindFile=0xbe2808, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfaa2f980, ftCreationTime.dwHighDateTime=0x1d5e6ed, ftLastAccessTime.dwLowDateTime=0xa1285510, ftLastAccessTime.dwHighDateTime=0x1d5e7cb, ftLastWriteTime.dwLowDateTime=0xa1285510, ftLastWriteTime.dwHighDateTime=0x1d5e7cb, nFileSizeHigh=0x0, nFileSizeLow=0xd704, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="yVvXhTdhNsdTeR9Fp.mp3", cAlternateFileName="YVVXHT~1.MP3")) returned 0 [0106.081] FindClose (in: hFindFile=0xbe2808 | out: hFindFile=0xbe2808) returned 1 [0106.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0106.081] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb1ef550, ftCreationTime.dwHighDateTime=0x1d5e765, ftLastAccessTime.dwLowDateTime=0x1e93590, ftLastAccessTime.dwHighDateTime=0x1d5e28b, ftLastWriteTime.dwLowDateTime=0x1e93590, ftLastWriteTime.dwHighDateTime=0x1d5e28b, nFileSizeHigh=0x0, nFileSizeLow=0x4f8, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="uAqQ-FQgm.m4a", cAlternateFileName="UAQQ-F~1.M4A")) returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2=".") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="..") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="...") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="windows") returned -1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="rsa") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="NTDETECT.COM") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="ntldr") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="MSDOS.SYS") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="IO.SYS") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="boot.ini") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="ntuser.dat") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="desktop.ini") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="CONFIG.SYS") returned 1 [0106.081] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="RECYCLER") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="bootmgr") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="programdata") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="appdata") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="program files") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="program files (x86)") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="microsoft") returned 1 [0106.082] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="sophos") returned 1 [0106.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0106.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.082] PathFindExtensionW (pszPath="uAqQ-FQgm.m4a") returned=".m4a" [0106.082] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.082] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.082] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.135] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.135] lstrcmpiW (lpString1="uAqQ-FQgm.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.135] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\uAqQ-FQgm.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uaqq-fqgm.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0106.135] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1272) returned 1 [0106.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.135] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.135] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0106.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0106.136] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0106.136] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0106.136] GetTickCount () returned 0x115bac1 [0106.136] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0106.136] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0106.136] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.136] SetLastError (dwErrCode=0x0) [0106.136] WriteFile (in: hFile=0x26c, lpBuffer=0x29d0ee0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d0ee0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.137] GetLastError () returned 0x0 [0106.137] GetLastError () returned 0x0 [0106.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.137] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6f8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.137] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a40cff8, dwHighDateTime=0x1d5f971)) [0106.137] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.137] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.137] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0106.137] GetProcessHeap () returned 0xbc0000 [0106.137] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4f8) returned 0xbe3f48 [0106.137] GetSystemDefaultLangID () returned 0xbd0409 [0106.137] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.138] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x4f8, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x4f8, lpOverlapped=0x0) returned 1 [0106.138] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.138] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x4f8, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x4f8, lpOverlapped=0x0) returned 1 [0106.138] GetProcessHeap () returned 0xbc0000 [0106.138] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0106.138] CloseHandle (hObject=0x26c) returned 1 [0106.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ee0 | out: hHeap=0x2680000) returned 1 [0106.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0106.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.138] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0106.138] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681278 [0106.138] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\uAqQ-FQgm.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uaqq-fqgm.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\uAqQ-FQgm.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uaqq-fqgm.m4a.nefilim")) returned 1 [0106.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.139] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.139] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5491a6c0, ftCreationTime.dwHighDateTime=0x1d5e181, ftLastAccessTime.dwLowDateTime=0xd9ac5bf0, ftLastAccessTime.dwHighDateTime=0x1d5e8f9, ftLastWriteTime.dwLowDateTime=0xd9ac5bf0, ftLastWriteTime.dwHighDateTime=0x1d5e8f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="UWkQi", cAlternateFileName="")) returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2=".") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="..") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="...") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="windows") returned -1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="$RECYCLE.BIN") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="rsa") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="NTDETECT.COM") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="ntldr") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="MSDOS.SYS") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="IO.SYS") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="boot.ini") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="AUTOEXEC.BAT") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="ntuser.dat") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="desktop.ini") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="CONFIG.SYS") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="RECYCLER") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="BOOTSECT.BAK") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="bootmgr") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="programdata") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="appdata") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="program files") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="program files (x86)") returned 1 [0106.139] lstrcmpiW (lpString1="UWkQi", lpString2="microsoft") returned 1 [0106.140] lstrcmpiW (lpString1="UWkQi", lpString2="sophos") returned 1 [0106.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.140] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0106.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0106.140] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.140] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5491a6c0, ftCreationTime.dwHighDateTime=0x1d5e181, ftLastAccessTime.dwLowDateTime=0xd9ac5bf0, ftLastAccessTime.dwHighDateTime=0x1d5e8f9, ftLastWriteTime.dwLowDateTime=0xd9ac5bf0, ftLastWriteTime.dwHighDateTime=0x1d5e8f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0106.140] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.140] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5491a6c0, ftCreationTime.dwHighDateTime=0x1d5e181, ftLastAccessTime.dwLowDateTime=0xd9ac5bf0, ftLastAccessTime.dwHighDateTime=0x1d5e8f9, ftLastWriteTime.dwLowDateTime=0xd9ac5bf0, ftLastWriteTime.dwHighDateTime=0x1d5e8f9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.140] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4d1773e0, ftCreationTime.dwHighDateTime=0x1d5e17a, ftLastAccessTime.dwLowDateTime=0xc4df7250, ftLastAccessTime.dwHighDateTime=0x1d5f06c, ftLastWriteTime.dwLowDateTime=0xc4df7250, ftLastWriteTime.dwHighDateTime=0x1d5f06c, nFileSizeHigh=0x0, nFileSizeLow=0x6788, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="d50rPpLZXol_.mp3", cAlternateFileName="D50RPP~1.MP3")) returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2=".") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="..") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="...") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="windows") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="rsa") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="NTDETECT.COM") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="ntldr") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="MSDOS.SYS") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="IO.SYS") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="boot.ini") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="ntuser.dat") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="desktop.ini") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="CONFIG.SYS") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="RECYCLER") returned -1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.140] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="bootmgr") returned 1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="programdata") returned -1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="appdata") returned 1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="program files") returned -1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="program files (x86)") returned -1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="microsoft") returned -1 [0106.141] lstrcmpiW (lpString1="d50rPpLZXol_.mp3", lpString2="sophos") returned -1 [0106.141] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680500 [0106.141] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.141] PathFindExtensionW (pszPath="d50rPpLZXol_.mp3") returned=".mp3" [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.141] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.141] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1e75820, ftCreationTime.dwHighDateTime=0x1d5ead9, ftLastAccessTime.dwLowDateTime=0x35dd1030, ftLastAccessTime.dwHighDateTime=0x1d5e78e, ftLastWriteTime.dwLowDateTime=0x35dd1030, ftLastWriteTime.dwHighDateTime=0x1d5e78e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="M-mP_ul1mfS", cAlternateFileName="M-MP_U~1")) returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2=".") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="..") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="...") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="windows") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="$RECYCLE.BIN") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="rsa") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="NTDETECT.COM") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="ntldr") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="MSDOS.SYS") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="IO.SYS") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="boot.ini") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="AUTOEXEC.BAT") returned 1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="ntuser.dat") returned -1 [0106.141] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="desktop.ini") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="CONFIG.SYS") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="RECYCLER") returned -1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="BOOTSECT.BAK") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="bootmgr") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="programdata") returned -1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="appdata") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="program files") returned -1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="program files (x86)") returned -1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="microsoft") returned 1 [0106.142] lstrcmpiW (lpString1="M-mP_ul1mfS", lpString2="sophos") returned -1 [0106.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x268e340 [0106.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0106.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0106.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0106.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0106.142] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1e75820, ftCreationTime.dwHighDateTime=0x1d5ead9, ftLastAccessTime.dwLowDateTime=0x35dd1030, ftLastAccessTime.dwHighDateTime=0x1d5e78e, ftLastWriteTime.dwLowDateTime=0x35dd1030, ftLastWriteTime.dwHighDateTime=0x1d5e78e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0106.142] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.142] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd1e75820, ftCreationTime.dwHighDateTime=0x1d5ead9, ftLastAccessTime.dwLowDateTime=0x35dd1030, ftLastAccessTime.dwHighDateTime=0x1d5e78e, ftLastWriteTime.dwLowDateTime=0x35dd1030, ftLastWriteTime.dwHighDateTime=0x1d5e78e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="..", cAlternateFileName="")) returned 1 [0106.142] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.142] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.142] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8310b8b0, ftCreationTime.dwHighDateTime=0x1d5ed52, ftLastAccessTime.dwLowDateTime=0x6f74f8b0, ftLastAccessTime.dwHighDateTime=0x1d5e867, ftLastWriteTime.dwLowDateTime=0x6f74f8b0, ftLastWriteTime.dwHighDateTime=0x1d5e867, nFileSizeHigh=0x0, nFileSizeLow=0x6017, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="EpSdchr.m4a", cAlternateFileName="")) returned 1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2=".") returned 1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="..") returned 1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="...") returned 1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="windows") returned -1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.142] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="rsa") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="NTDETECT.COM") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="ntldr") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="MSDOS.SYS") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="IO.SYS") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="boot.ini") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="ntuser.dat") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="desktop.ini") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="CONFIG.SYS") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="RECYCLER") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="bootmgr") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="programdata") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="appdata") returned 1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="program files") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="program files (x86)") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="microsoft") returned -1 [0106.143] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="sophos") returned -1 [0106.143] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0106.143] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.143] PathFindExtensionW (pszPath="EpSdchr.m4a") returned=".m4a" [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.143] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.144] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.144] lstrcmpiW (lpString1="EpSdchr.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0106.144] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\EpSdchr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\epsdchr.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.144] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=24599) returned 1 [0106.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0106.144] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.144] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0106.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0106.144] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0106.144] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.146] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.147] GetTickCount () returned 0x115bad0 [0106.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0106.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0106.148] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6017, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.148] SetLastError (dwErrCode=0x0) [0106.148] WriteFile (in: hFile=0x274, lpBuffer=0x29d0178*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0178*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.148] GetLastError () returned 0x0 [0106.148] GetLastError () returned 0x0 [0106.149] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6117, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.149] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.149] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x6217, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.149] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a433416, dwHighDateTime=0x1d5f971)) [0106.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0106.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.149] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.149] GetProcessHeap () returned 0xbc0000 [0106.149] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x6017) returned 0xbf3640 [0106.149] GetSystemDefaultLangID () returned 0xbd0409 [0106.149] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.149] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x6017, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x6017, lpOverlapped=0x0) returned 1 [0106.150] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.150] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x6017, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x6017, lpOverlapped=0x0) returned 1 [0106.150] GetProcessHeap () returned 0xbc0000 [0106.150] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.151] CloseHandle (hObject=0x274) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0178 | out: hHeap=0x2680000) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e168 | out: hHeap=0x2680000) returned 1 [0106.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e878 [0106.151] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\EpSdchr.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\epsdchr.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\EpSdchr.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\epsdchr.m4a.nefilim")) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e878 | out: hHeap=0x2680000) returned 1 [0106.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0106.151] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dda9be0, ftCreationTime.dwHighDateTime=0x1d5efb5, ftLastAccessTime.dwLowDateTime=0x4af21d50, ftLastAccessTime.dwHighDateTime=0x1d5e624, ftLastWriteTime.dwLowDateTime=0x4af21d50, ftLastWriteTime.dwHighDateTime=0x1d5e624, nFileSizeHigh=0x0, nFileSizeLow=0x6891, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="y2K4Y.mp3", cAlternateFileName="")) returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2=".") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="..") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="...") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="windows") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="rsa") returned 1 [0106.151] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="NTDETECT.COM") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="ntldr") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="MSDOS.SYS") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="IO.SYS") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="boot.ini") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="ntuser.dat") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="desktop.ini") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="CONFIG.SYS") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="RECYCLER") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="bootmgr") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="programdata") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="appdata") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="program files") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="program files (x86)") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="microsoft") returned 1 [0106.152] lstrcmpiW (lpString1="y2K4Y.mp3", lpString2="sophos") returned 1 [0106.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e800 [0106.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0106.152] PathFindExtensionW (pszPath="y2K4Y.mp3") returned=".mp3" [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.152] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.152] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd87f780, ftCreationTime.dwHighDateTime=0x1d5ef31, ftLastAccessTime.dwLowDateTime=0x4fc7e6c0, ftLastAccessTime.dwHighDateTime=0x1d5e831, ftLastWriteTime.dwLowDateTime=0x4fc7e6c0, ftLastWriteTime.dwHighDateTime=0x1d5e831, nFileSizeHigh=0x0, nFileSizeLow=0x635b, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="_jCbLZ.wav", cAlternateFileName="")) returned 1 [0106.152] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2=".") returned 1 [0106.152] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="..") returned 1 [0106.152] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="...") returned 1 [0106.152] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="windows") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="$RECYCLE.BIN") returned 1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="rsa") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="NTDETECT.COM") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="ntldr") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="MSDOS.SYS") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="IO.SYS") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="boot.ini") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="AUTOEXEC.BAT") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="ntuser.dat") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="desktop.ini") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="CONFIG.SYS") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="RECYCLER") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="BOOTSECT.BAK") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="bootmgr") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="programdata") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="appdata") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="program files") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="program files (x86)") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="microsoft") returned -1 [0106.153] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="sophos") returned -1 [0106.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.153] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0106.153] PathFindExtensionW (pszPath="_jCbLZ.wav") returned=".wav" [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0106.153] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0106.154] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0106.154] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0106.154] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0106.154] lstrcmpiW (lpString1="_jCbLZ.wav", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0106.154] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\_jCbLZ.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\_jcblz.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.154] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=25435) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.154] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.154] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0106.154] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.154] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.155] GetTickCount () returned 0x115bad0 [0106.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0106.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0106.155] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x635b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.155] SetLastError (dwErrCode=0x0) [0106.155] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.155] GetLastError () returned 0x0 [0106.156] GetLastError () returned 0x0 [0106.156] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x645b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.156] WriteFile (in: hFile=0x274, lpBuffer=0x29d0388*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0388*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.156] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x655b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.156] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a433416, dwHighDateTime=0x1d5f971)) [0106.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0106.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0106.156] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.156] GetProcessHeap () returned 0xbc0000 [0106.156] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x635b) returned 0xbf3640 [0106.156] GetSystemDefaultLangID () returned 0xbd0409 [0106.156] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.156] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x635b, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x635b, lpOverlapped=0x0) returned 1 [0106.157] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.157] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x635b, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x635b, lpOverlapped=0x0) returned 1 [0106.157] GetProcessHeap () returned 0xbc0000 [0106.157] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.158] CloseHandle (hObject=0x274) returned 1 [0106.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0388 | out: hHeap=0x2680000) returned 1 [0106.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.158] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0106.158] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e800 [0106.158] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\_jCbLZ.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\_jcblz.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\M-mP_ul1mfS\\_jCbLZ.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\m-mp_ul1mfs\\_jcblz.wav.nefilim")) returned 1 [0106.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0106.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.160] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xfd87f780, ftCreationTime.dwHighDateTime=0x1d5ef31, ftLastAccessTime.dwLowDateTime=0x4fc7e6c0, ftLastAccessTime.dwHighDateTime=0x1d5e831, ftLastWriteTime.dwLowDateTime=0x4fc7e6c0, ftLastWriteTime.dwHighDateTime=0x1d5e831, nFileSizeHigh=0x0, nFileSizeLow=0x635b, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="_jCbLZ.wav", cAlternateFileName="")) returned 0 [0106.160] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0106.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0106.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.160] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x714485f0, ftCreationTime.dwHighDateTime=0x1d5e661, ftLastAccessTime.dwLowDateTime=0x43b58260, ftLastAccessTime.dwHighDateTime=0x1d5e59e, ftLastWriteTime.dwLowDateTime=0x43b58260, ftLastWriteTime.dwHighDateTime=0x1d5e59e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="nFkInJKIo11_66", cAlternateFileName="NFKINJ~1")) returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2=".") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="..") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="...") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="windows") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="$RECYCLE.BIN") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="rsa") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="NTDETECT.COM") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="ntldr") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="MSDOS.SYS") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="IO.SYS") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="boot.ini") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="AUTOEXEC.BAT") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="ntuser.dat") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="desktop.ini") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="CONFIG.SYS") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="RECYCLER") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="BOOTSECT.BAK") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="bootmgr") returned 1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="programdata") returned -1 [0106.160] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="appdata") returned 1 [0106.161] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="program files") returned -1 [0106.161] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="program files (x86)") returned -1 [0106.161] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="microsoft") returned 1 [0106.161] lstrcmpiW (lpString1="nFkInJKIo11_66", lpString2="sophos") returned -1 [0106.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0106.161] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0106.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0106.161] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0106.161] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x714485f0, ftCreationTime.dwHighDateTime=0x1d5e661, ftLastAccessTime.dwLowDateTime=0x43b58260, ftLastAccessTime.dwHighDateTime=0x1d5e59e, ftLastWriteTime.dwLowDateTime=0x43b58260, ftLastWriteTime.dwHighDateTime=0x1d5e59e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0106.161] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.161] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x714485f0, ftCreationTime.dwHighDateTime=0x1d5e661, ftLastAccessTime.dwLowDateTime=0x43b58260, ftLastAccessTime.dwHighDateTime=0x1d5e59e, ftLastWriteTime.dwLowDateTime=0x43b58260, ftLastWriteTime.dwHighDateTime=0x1d5e59e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="..", cAlternateFileName="")) returned 1 [0106.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.161] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe1ebdec0, ftCreationTime.dwHighDateTime=0x1d5ec2e, ftLastAccessTime.dwLowDateTime=0x84228b70, ftLastAccessTime.dwHighDateTime=0x1d5e25d, ftLastWriteTime.dwLowDateTime=0x84228b70, ftLastWriteTime.dwHighDateTime=0x1d5e25d, nFileSizeHigh=0x0, nFileSizeLow=0x7662, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="D1KZ.mp3", cAlternateFileName="")) returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2=".") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="..") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="...") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="windows") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="rsa") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="NTDETECT.COM") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="ntldr") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="MSDOS.SYS") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="IO.SYS") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="boot.ini") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="ntuser.dat") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="desktop.ini") returned -1 [0106.161] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="CONFIG.SYS") returned 1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="RECYCLER") returned -1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="bootmgr") returned 1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="programdata") returned -1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="appdata") returned 1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="program files") returned -1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="program files (x86)") returned -1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="microsoft") returned -1 [0106.162] lstrcmpiW (lpString1="D1KZ.mp3", lpString2="sophos") returned -1 [0106.162] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.162] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0106.162] PathFindExtensionW (pszPath="D1KZ.mp3") returned=".mp3" [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.162] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.162] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x39cc10d0, ftCreationTime.dwHighDateTime=0x1d5e471, ftLastAccessTime.dwLowDateTime=0x56d281a0, ftLastAccessTime.dwHighDateTime=0x1d5ef0c, ftLastWriteTime.dwLowDateTime=0x56d281a0, ftLastWriteTime.dwHighDateTime=0x1d5ef0c, nFileSizeHigh=0x0, nFileSizeLow=0x142fa, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="g2W12aG_TB.m4a", cAlternateFileName="G2W12A~1.M4A")) returned 1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2=".") returned 1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="..") returned 1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="...") returned 1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="windows") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="rsa") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="NTDETECT.COM") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="ntldr") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="MSDOS.SYS") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="IO.SYS") returned -1 [0106.162] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="boot.ini") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="ntuser.dat") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="desktop.ini") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="CONFIG.SYS") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="RECYCLER") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="bootmgr") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="programdata") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="appdata") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="program files") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="program files (x86)") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="microsoft") returned -1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="sophos") returned -1 [0106.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e350 [0106.163] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.163] PathFindExtensionW (pszPath="g2W12aG_TB.m4a") returned=".m4a" [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.163] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.163] lstrcmpiW (lpString1="g2W12aG_TB.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.163] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.163] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\g2W12aG_TB.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\g2w12ag_tb.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.164] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=82682) returned 1 [0106.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.164] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.164] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.164] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.164] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.165] GetTickCount () returned 0x115bae0 [0106.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.166] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.166] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x142fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.166] SetLastError (dwErrCode=0x0) [0106.166] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.166] GetLastError () returned 0x0 [0106.166] GetLastError () returned 0x0 [0106.166] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x143fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.167] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.167] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x144fa, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.167] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a4593ce, dwHighDateTime=0x1d5f971)) [0106.167] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be18 [0106.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.167] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.167] GetProcessHeap () returned 0xbc0000 [0106.167] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x142fa) returned 0xbf3640 [0106.168] GetSystemDefaultLangID () returned 0xbd0409 [0106.168] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.168] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x142fa, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x142fa, lpOverlapped=0x0) returned 1 [0106.173] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.173] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x142fa, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x142fa, lpOverlapped=0x0) returned 1 [0106.173] GetProcessHeap () returned 0xbc0000 [0106.173] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.173] CloseHandle (hObject=0x274) returned 1 [0106.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0106.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0d8 | out: hHeap=0x2680000) returned 1 [0106.173] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0106.174] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\g2W12aG_TB.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\g2w12ag_tb.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\g2W12aG_TB.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\g2w12ag_tb.m4a.nefilim")) returned 1 [0106.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.174] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x123eca0, ftCreationTime.dwHighDateTime=0x1d5e181, ftLastAccessTime.dwLowDateTime=0x30b0b710, ftLastAccessTime.dwHighDateTime=0x1d5e699, ftLastWriteTime.dwLowDateTime=0x30b0b710, ftLastWriteTime.dwHighDateTime=0x1d5e699, nFileSizeHigh=0x0, nFileSizeLow=0xe35c, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="kzAKrpg_hqD_DKV7Y.m4a", cAlternateFileName="KZAKRP~1.M4A")) returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2=".") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="..") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="...") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="windows") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="rsa") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="NTDETECT.COM") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="ntldr") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="MSDOS.SYS") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="IO.SYS") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="boot.ini") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="ntuser.dat") returned -1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="desktop.ini") returned 1 [0106.174] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="CONFIG.SYS") returned 1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="RECYCLER") returned -1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="bootmgr") returned 1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="programdata") returned -1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="appdata") returned 1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="program files") returned -1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="program files (x86)") returned -1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="microsoft") returned -1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="sophos") returned -1 [0106.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0106.175] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0106.175] PathFindExtensionW (pszPath="kzAKrpg_hqD_DKV7Y.m4a") returned=".m4a" [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.175] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.175] lstrcmpiW (lpString1="kzAKrpg_hqD_DKV7Y.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e350 [0106.175] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\kzAKrpg_hqD_DKV7Y.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\kzakrpg_hqd_dkv7y.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.175] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=58204) returned 1 [0106.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.176] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.176] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.225] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.225] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.225] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.225] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.225] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.225] GetTickCount () returned 0x115bb1f [0106.225] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0106.225] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0106.225] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe35c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.225] SetLastError (dwErrCode=0x0) [0106.226] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.226] GetLastError () returned 0x0 [0106.226] GetLastError () returned 0x0 [0106.226] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe45c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.227] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.227] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe55c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.227] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a4f2047, dwHighDateTime=0x1d5f971)) [0106.227] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be28 [0106.227] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0106.227] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.227] GetProcessHeap () returned 0xbc0000 [0106.227] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe35c) returned 0xbf3640 [0106.227] GetSystemDefaultLangID () returned 0xbd0409 [0106.227] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.227] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xe35c, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xe35c, lpOverlapped=0x0) returned 1 [0106.230] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.230] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xe35c, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xe35c, lpOverlapped=0x0) returned 1 [0106.230] GetProcessHeap () returned 0xbc0000 [0106.230] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.230] CloseHandle (hObject=0x274) returned 1 [0106.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.230] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.230] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268be28 [0106.230] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\kzAKrpg_hqD_DKV7Y.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\kzakrpg_hqd_dkv7y.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\kzAKrpg_hqD_DKV7Y.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\kzakrpg_hqd_dkv7y.m4a.nefilim")) returned 1 [0106.231] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0106.231] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0106.231] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9b4fb0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0xb2823250, ftLastAccessTime.dwHighDateTime=0x1d5eb6c, ftLastWriteTime.dwLowDateTime=0xb2823250, ftLastWriteTime.dwHighDateTime=0x1d5eb6c, nFileSizeHigh=0x0, nFileSizeLow=0x446e, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="XgcaY7krKWej.wav", cAlternateFileName="XGCAY7~1.WAV")) returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2=".") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="..") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="...") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="windows") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="$RECYCLE.BIN") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="rsa") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="NTDETECT.COM") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="ntldr") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="MSDOS.SYS") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="IO.SYS") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="boot.ini") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="AUTOEXEC.BAT") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="ntuser.dat") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="desktop.ini") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="CONFIG.SYS") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="RECYCLER") returned 1 [0106.231] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="BOOTSECT.BAK") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="bootmgr") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="programdata") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="appdata") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="program files") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="program files (x86)") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="microsoft") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="sophos") returned 1 [0106.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e350 [0106.232] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.232] PathFindExtensionW (pszPath="XgcaY7krKWej.wav") returned=".wav" [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0106.232] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0106.232] lstrcmpiW (lpString1="XgcaY7krKWej.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.232] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\XgcaY7krKWej.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\xgcay7krkwej.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.232] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=17518) returned 1 [0106.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.232] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.233] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.233] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0106.233] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0106.233] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.233] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.234] GetTickCount () returned 0x115bb1f [0106.234] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.234] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.234] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x446e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.234] SetLastError (dwErrCode=0x0) [0106.235] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.235] GetLastError () returned 0x0 [0106.235] GetLastError () returned 0x0 [0106.235] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x456e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.235] WriteFile (in: hFile=0x274, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.235] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x466e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.235] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a4f2047, dwHighDateTime=0x1d5f971)) [0106.236] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be18 [0106.236] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.236] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.236] GetProcessHeap () returned 0xbc0000 [0106.236] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x446e) returned 0xbf3640 [0106.237] GetSystemDefaultLangID () returned 0xbd0409 [0106.237] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.237] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x446e, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x446e, lpOverlapped=0x0) returned 1 [0106.238] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.238] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x446e, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x446e, lpOverlapped=0x0) returned 1 [0106.238] GetProcessHeap () returned 0xbc0000 [0106.238] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.238] CloseHandle (hObject=0x274) returned 1 [0106.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0106.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0106.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.242] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.242] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0106.242] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\XgcaY7krKWej.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\xgcay7krkwej.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\nFkInJKIo11_66\\XgcaY7krKWej.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\nfkinjkio11_66\\xgcay7krkwej.wav.nefilim")) returned 1 [0106.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.243] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6f9b4fb0, ftCreationTime.dwHighDateTime=0x1d5eb78, ftLastAccessTime.dwLowDateTime=0xb2823250, ftLastAccessTime.dwHighDateTime=0x1d5eb6c, ftLastWriteTime.dwLowDateTime=0xb2823250, ftLastWriteTime.dwHighDateTime=0x1d5eb6c, nFileSizeHigh=0x0, nFileSizeLow=0x446e, dwReserved0=0x0, dwReserved1=0x29000029, cFileName="XgcaY7krKWej.wav", cAlternateFileName="XGCAY7~1.WAV")) returned 0 [0106.243] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0106.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0106.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.243] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0106.243] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x986e0100, ftCreationTime.dwHighDateTime=0x1d5ed6a, ftLastAccessTime.dwLowDateTime=0x5c3f0440, ftLastAccessTime.dwHighDateTime=0x1d5f102, ftLastWriteTime.dwLowDateTime=0x5c3f0440, ftLastWriteTime.dwHighDateTime=0x1d5f102, nFileSizeHigh=0x0, nFileSizeLow=0x17cec, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="OSzF.wav", cAlternateFileName="")) returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2=".") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="..") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="...") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="windows") returned -1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="$RECYCLE.BIN") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="rsa") returned -1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="NTDETECT.COM") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="ntldr") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="MSDOS.SYS") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="IO.SYS") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="boot.ini") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="AUTOEXEC.BAT") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="ntuser.dat") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="desktop.ini") returned 1 [0106.243] lstrcmpiW (lpString1="OSzF.wav", lpString2="CONFIG.SYS") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="RECYCLER") returned -1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="BOOTSECT.BAK") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="bootmgr") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="programdata") returned -1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="appdata") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="program files") returned -1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="program files (x86)") returned -1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="microsoft") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="sophos") returned -1 [0106.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0106.244] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.244] PathFindExtensionW (pszPath="OSzF.wav") returned=".wav" [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".exe") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".log") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".cab") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".cmd") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".com") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".cpl") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".ini") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".dll") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".url") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".ttf") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".mp3") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".pif") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".mp4") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".NEFILIM") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".msi") returned 1 [0106.244] lstrcmpiW (lpString1=".wav", lpString2=".lnk") returned 1 [0106.244] lstrcmpiW (lpString1="OSzF.wav", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.244] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.244] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\OSzF.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\oszf.wav"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.245] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=97516) returned 1 [0106.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.245] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.245] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.245] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.245] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.245] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.246] GetTickCount () returned 0x115bb2e [0106.246] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.246] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.246] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17cec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.247] SetLastError (dwErrCode=0x0) [0106.247] WriteFile (in: hFile=0x270, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.247] GetLastError () returned 0x0 [0106.247] GetLastError () returned 0x0 [0106.247] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17dec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.247] WriteFile (in: hFile=0x270, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.247] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x17eec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.248] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a518210, dwHighDateTime=0x1d5f971)) [0106.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0106.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.248] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.248] GetProcessHeap () returned 0xbc0000 [0106.248] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x17cec) returned 0xbf2638 [0106.249] GetSystemDefaultLangID () returned 0xbd0409 [0106.249] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.249] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x17cec, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x17cec, lpOverlapped=0x0) returned 1 [0106.255] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.255] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x17cec, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x17cec, lpOverlapped=0x0) returned 1 [0106.255] GetProcessHeap () returned 0xbc0000 [0106.255] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.255] CloseHandle (hObject=0x270) returned 1 [0106.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.256] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0106.256] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\OSzF.wav" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\oszf.wav"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\OSzF.wav.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\oszf.wav.nefilim")) returned 1 [0106.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.256] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0bc590, ftCreationTime.dwHighDateTime=0x1d5ea56, ftLastAccessTime.dwLowDateTime=0x57131f10, ftLastAccessTime.dwHighDateTime=0x1d5ebd5, ftLastWriteTime.dwLowDateTime=0x57131f10, ftLastWriteTime.dwHighDateTime=0x1d5ebd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="vksE", cAlternateFileName="")) returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2=".") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="..") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="...") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="windows") returned -1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="$RECYCLE.BIN") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="rsa") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="NTDETECT.COM") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="ntldr") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="MSDOS.SYS") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="IO.SYS") returned 1 [0106.256] lstrcmpiW (lpString1="vksE", lpString2="boot.ini") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="AUTOEXEC.BAT") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="ntuser.dat") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="desktop.ini") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="CONFIG.SYS") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="RECYCLER") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="BOOTSECT.BAK") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="bootmgr") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="programdata") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="appdata") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="program files") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="program files (x86)") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="microsoft") returned 1 [0106.257] lstrcmpiW (lpString1="vksE", lpString2="sophos") returned 1 [0106.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0106.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0106.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0106.257] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0bc590, ftCreationTime.dwHighDateTime=0x1d5ea56, ftLastAccessTime.dwLowDateTime=0x57131f10, ftLastAccessTime.dwHighDateTime=0x1d5ebd5, ftLastWriteTime.dwLowDateTime=0x57131f10, ftLastWriteTime.dwHighDateTime=0x1d5ebd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0106.257] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.257] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0bc590, ftCreationTime.dwHighDateTime=0x1d5ea56, ftLastAccessTime.dwLowDateTime=0x57131f10, ftLastAccessTime.dwHighDateTime=0x1d5ebd5, ftLastWriteTime.dwLowDateTime=0x57131f10, ftLastWriteTime.dwHighDateTime=0x1d5ebd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="..", cAlternateFileName="")) returned 1 [0106.257] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.257] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.257] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2363720, ftCreationTime.dwHighDateTime=0x1d5ea1e, ftLastAccessTime.dwLowDateTime=0x33fe7870, ftLastAccessTime.dwHighDateTime=0x1d5ea3c, ftLastWriteTime.dwLowDateTime=0x33fe7870, ftLastWriteTime.dwHighDateTime=0x1d5ea3c, nFileSizeHigh=0x0, nFileSizeLow=0x8c07, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="4HENH.m4a", cAlternateFileName="")) returned 1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2=".") returned 1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="..") returned 1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="...") returned 1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="windows") returned -1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="rsa") returned -1 [0106.257] lstrcmpiW (lpString1="4HENH.m4a", lpString2="NTDETECT.COM") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="ntldr") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="MSDOS.SYS") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="IO.SYS") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="boot.ini") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="AUTOEXEC.BAT") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="ntuser.dat") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="desktop.ini") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="CONFIG.SYS") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="RECYCLER") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="BOOTSECT.BAK") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="bootmgr") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="programdata") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="appdata") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="program files") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="program files (x86)") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="microsoft") returned -1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="sophos") returned -1 [0106.258] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0106.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.258] PathFindExtensionW (pszPath="4HENH.m4a") returned=".m4a" [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.258] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.258] lstrcmpiW (lpString1="4HENH.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0106.259] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\4HENH.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\4henh.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.259] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=35847) returned 1 [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.259] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.259] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.259] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.259] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.259] GetTickCount () returned 0x115bb3e [0106.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.260] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8c07, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.260] SetLastError (dwErrCode=0x0) [0106.260] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.260] GetLastError () returned 0x0 [0106.260] GetLastError () returned 0x0 [0106.260] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8d07, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.260] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.261] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x8e07, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.261] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a53e506, dwHighDateTime=0x1d5f971)) [0106.261] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3a8 [0106.261] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a8 | out: hHeap=0x2680000) returned 1 [0106.261] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.261] GetProcessHeap () returned 0xbc0000 [0106.261] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8c07) returned 0xbf3640 [0106.261] GetSystemDefaultLangID () returned 0xbd0409 [0106.261] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.261] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x8c07, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x8c07, lpOverlapped=0x0) returned 1 [0106.263] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.263] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x8c07, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x8c07, lpOverlapped=0x0) returned 1 [0106.263] GetProcessHeap () returned 0xbc0000 [0106.263] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.263] CloseHandle (hObject=0x274) returned 1 [0106.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0106.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.263] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0106.263] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\4HENH.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\4henh.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\4HENH.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\4henh.m4a.nefilim")) returned 1 [0106.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0106.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.264] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa626bdf0, ftCreationTime.dwHighDateTime=0x1d5f0a3, ftLastAccessTime.dwLowDateTime=0x25a6e8e0, ftLastAccessTime.dwHighDateTime=0x1d5e3e1, ftLastWriteTime.dwLowDateTime=0x25a6e8e0, ftLastWriteTime.dwHighDateTime=0x1d5e3e1, nFileSizeHigh=0x0, nFileSizeLow=0x7a88, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="l0-YhU.m4a", cAlternateFileName="")) returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2=".") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="..") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="...") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="windows") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="rsa") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="NTDETECT.COM") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="ntldr") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="MSDOS.SYS") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="IO.SYS") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="boot.ini") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="ntuser.dat") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="desktop.ini") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="CONFIG.SYS") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="RECYCLER") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="bootmgr") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="programdata") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="appdata") returned 1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="program files") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="program files (x86)") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="microsoft") returned -1 [0106.264] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="sophos") returned -1 [0106.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0106.265] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.265] PathFindExtensionW (pszPath="l0-YhU.m4a") returned=".m4a" [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.265] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.265] lstrcmpiW (lpString1="l0-YhU.m4a", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0106.265] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\l0-YhU.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\l0-yhu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.265] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=31368) returned 1 [0106.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.265] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.265] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0106.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.265] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.266] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.266] GetTickCount () returned 0x115bb3e [0106.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0106.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0106.266] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7a88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.266] SetLastError (dwErrCode=0x0) [0106.266] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.267] GetLastError () returned 0x0 [0106.267] GetLastError () returned 0x0 [0106.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7b88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.267] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7c88, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.267] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a53e506, dwHighDateTime=0x1d5f971)) [0106.267] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e3a8 [0106.267] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3a8 | out: hHeap=0x2680000) returned 1 [0106.267] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.267] GetProcessHeap () returned 0xbc0000 [0106.267] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7a88) returned 0xbf3640 [0106.267] GetSystemDefaultLangID () returned 0xbd0409 [0106.267] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.267] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x7a88, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x7a88, lpOverlapped=0x0) returned 1 [0106.269] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.269] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x7a88, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x7a88, lpOverlapped=0x0) returned 1 [0106.269] GetProcessHeap () returned 0xbc0000 [0106.269] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.335] CloseHandle (hObject=0x274) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0106.336] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\l0-YhU.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\l0-yhu.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\l0-YhU.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\l0-yhu.m4a.nefilim")) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0106.336] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.336] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x84fbb20, ftCreationTime.dwHighDateTime=0x1d5e1b9, ftLastAccessTime.dwLowDateTime=0xa0924f50, ftLastAccessTime.dwHighDateTime=0x1d5e97b, ftLastWriteTime.dwLowDateTime=0xa0924f50, ftLastWriteTime.dwHighDateTime=0x1d5e97b, nFileSizeHigh=0x0, nFileSizeLow=0xb40d, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="L5sbJ_2Io4gvVFp.mp3", cAlternateFileName="L5SBJ_~1.MP3")) returned 1 [0106.336] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2=".") returned 1 [0106.336] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="..") returned 1 [0106.336] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="...") returned 1 [0106.336] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="windows") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="rsa") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="NTDETECT.COM") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="ntldr") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="MSDOS.SYS") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="IO.SYS") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="boot.ini") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="ntuser.dat") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="desktop.ini") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="CONFIG.SYS") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="RECYCLER") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="bootmgr") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="programdata") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="appdata") returned 1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="program files") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="program files (x86)") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="microsoft") returned -1 [0106.337] lstrcmpiW (lpString1="L5sbJ_2Io4gvVFp.mp3", lpString2="sophos") returned -1 [0106.337] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.337] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.337] PathFindExtensionW (pszPath="L5sbJ_2Io4gvVFp.mp3") returned=".mp3" [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.337] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.337] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb098fa0, ftCreationTime.dwHighDateTime=0x1d5e46c, ftLastAccessTime.dwLowDateTime=0x48a90860, ftLastAccessTime.dwHighDateTime=0x1d5e34a, ftLastWriteTime.dwLowDateTime=0x48a90860, ftLastWriteTime.dwHighDateTime=0x1d5e34a, nFileSizeHigh=0x0, nFileSizeLow=0x16a5d, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="mb0cXjuZNqY5.mp3", cAlternateFileName="MB0CXJ~1.MP3")) returned 1 [0106.337] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2=".") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="..") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="...") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="windows") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="rsa") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="NTDETECT.COM") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="ntldr") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="MSDOS.SYS") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="IO.SYS") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="boot.ini") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="ntuser.dat") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="desktop.ini") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="CONFIG.SYS") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="RECYCLER") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="bootmgr") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="programdata") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="appdata") returned 1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="program files") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="program files (x86)") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="microsoft") returned -1 [0106.338] lstrcmpiW (lpString1="mb0cXjuZNqY5.mp3", lpString2="sophos") returned -1 [0106.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0106.338] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.338] PathFindExtensionW (pszPath="mb0cXjuZNqY5.mp3") returned=".mp3" [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.338] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.339] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.339] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.339] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcd51ae50, ftCreationTime.dwHighDateTime=0x1d5eb24, ftLastAccessTime.dwLowDateTime=0xddd33a20, ftLastAccessTime.dwHighDateTime=0x1d5f0cc, ftLastWriteTime.dwLowDateTime=0xddd33a20, ftLastWriteTime.dwHighDateTime=0x1d5f0cc, nFileSizeHigh=0x0, nFileSizeLow=0x15eb7, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="OtXLt6rtflkgVu.m4a", cAlternateFileName="OTXLT6~1.M4A")) returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2=".") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="..") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="...") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="windows") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="rsa") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="NTDETECT.COM") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="ntldr") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="MSDOS.SYS") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="IO.SYS") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="boot.ini") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="ntuser.dat") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="desktop.ini") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="CONFIG.SYS") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="RECYCLER") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="bootmgr") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="programdata") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="appdata") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="program files") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="program files (x86)") returned -1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="microsoft") returned 1 [0106.339] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="sophos") returned -1 [0106.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.339] PathFindExtensionW (pszPath="OtXLt6rtflkgVu.m4a") returned=".m4a" [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.339] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.340] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.340] lstrcmpiW (lpString1="OtXLt6rtflkgVu.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0106.340] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\OtXLt6rtflkgVu.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\otxlt6rtflkgvu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.340] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=89783) returned 1 [0106.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.340] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.340] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.340] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.340] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.343] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.345] GetTickCount () returned 0x115bb8c [0106.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0106.345] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0106.345] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15eb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.345] SetLastError (dwErrCode=0x0) [0106.346] WriteFile (in: hFile=0x274, lpBuffer=0x29d0ac0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0ac0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.346] GetLastError () returned 0x0 [0106.346] GetLastError () returned 0x0 [0106.346] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x15fb7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.346] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.347] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x160b7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.347] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a5fd039, dwHighDateTime=0x1d5f971)) [0106.347] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be08 [0106.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.347] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.347] GetProcessHeap () returned 0xbc0000 [0106.347] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15eb7) returned 0xbf3640 [0106.347] GetSystemDefaultLangID () returned 0xbd0409 [0106.347] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.347] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x15eb7, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x15eb7, lpOverlapped=0x0) returned 1 [0106.353] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.353] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x15eb7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x15eb7, lpOverlapped=0x0) returned 1 [0106.353] GetProcessHeap () returned 0xbc0000 [0106.353] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.353] CloseHandle (hObject=0x274) returned 1 [0106.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0ac0 | out: hHeap=0x2680000) returned 1 [0106.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.353] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.353] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\OtXLt6rtflkgVu.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\otxlt6rtflkgvu.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\OtXLt6rtflkgVu.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\otxlt6rtflkgvu.m4a.nefilim")) returned 1 [0106.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.354] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6df07f10, ftCreationTime.dwHighDateTime=0x1d5e979, ftLastAccessTime.dwLowDateTime=0x2e1c0f50, ftLastAccessTime.dwHighDateTime=0x1d5e2b0, ftLastWriteTime.dwLowDateTime=0x2e1c0f50, ftLastWriteTime.dwHighDateTime=0x1d5e2b0, nFileSizeHigh=0x0, nFileSizeLow=0x11f32, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="pYZ5-NoMXhGbEKipU.m4a", cAlternateFileName="PYZ5-N~1.M4A")) returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2=".") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="..") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="...") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="windows") returned -1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="rsa") returned -1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="NTDETECT.COM") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="ntldr") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="MSDOS.SYS") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="IO.SYS") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="boot.ini") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="ntuser.dat") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="desktop.ini") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="CONFIG.SYS") returned 1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="RECYCLER") returned -1 [0106.354] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="bootmgr") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="programdata") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="appdata") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="program files") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="program files (x86)") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="microsoft") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="sophos") returned -1 [0106.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0106.355] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.355] PathFindExtensionW (pszPath="pYZ5-NoMXhGbEKipU.m4a") returned=".m4a" [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.355] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.355] lstrcmpiW (lpString1="pYZ5-NoMXhGbEKipU.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.355] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\pYZ5-NoMXhGbEKipU.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\pyz5-nomxhgbekipu.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.355] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=73522) returned 1 [0106.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.356] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.356] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0106.356] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.356] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.356] GetTickCount () returned 0x115bb9c [0106.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0106.356] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0106.356] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x11f32, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.356] SetLastError (dwErrCode=0x0) [0106.356] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.357] GetLastError () returned 0x0 [0106.357] GetLastError () returned 0x0 [0106.357] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12032, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.357] WriteFile (in: hFile=0x274, lpBuffer=0x29d1b40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1b40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.357] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12132, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.357] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a6230e8, dwHighDateTime=0x1d5f971)) [0106.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be08 [0106.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.358] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.358] GetProcessHeap () returned 0xbc0000 [0106.358] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11f32) returned 0xbf3640 [0106.358] GetSystemDefaultLangID () returned 0xbd0409 [0106.358] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.358] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x11f32, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x11f32, lpOverlapped=0x0) returned 1 [0106.361] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.361] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x11f32, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x11f32, lpOverlapped=0x0) returned 1 [0106.362] GetProcessHeap () returned 0xbc0000 [0106.362] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.362] CloseHandle (hObject=0x274) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1b40 | out: hHeap=0x2680000) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.362] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\pYZ5-NoMXhGbEKipU.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\pyz5-nomxhgbekipu.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\pYZ5-NoMXhGbEKipU.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\pyz5-nomxhgbekipu.m4a.nefilim")) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.362] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53628c00, ftCreationTime.dwHighDateTime=0x1d5ec4a, ftLastAccessTime.dwLowDateTime=0xe9928e00, ftLastAccessTime.dwHighDateTime=0x1d5e420, ftLastWriteTime.dwLowDateTime=0xe9928e00, ftLastWriteTime.dwHighDateTime=0x1d5e420, nFileSizeHigh=0x0, nFileSizeLow=0x7c87, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="sErhpIr4fqgty3Y2GWQ.m4a", cAlternateFileName="SERHPI~1.M4A")) returned 1 [0106.362] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2=".") returned 1 [0106.362] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="..") returned 1 [0106.362] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="...") returned 1 [0106.362] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="windows") returned -1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="rsa") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="NTDETECT.COM") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="ntldr") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="MSDOS.SYS") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="IO.SYS") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="boot.ini") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="ntuser.dat") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="desktop.ini") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="CONFIG.SYS") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="RECYCLER") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="bootmgr") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="programdata") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="appdata") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="program files") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="program files (x86)") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="microsoft") returned 1 [0106.363] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="sophos") returned -1 [0106.363] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0106.363] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.363] PathFindExtensionW (pszPath="sErhpIr4fqgty3Y2GWQ.m4a") returned=".m4a" [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.364] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.364] lstrcmpiW (lpString1="sErhpIr4fqgty3Y2GWQ.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e340 [0106.364] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\sErhpIr4fqgty3Y2GWQ.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\serhpir4fqgty3y2gwq.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.364] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=31879) returned 1 [0106.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.364] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.364] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0106.364] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.365] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.366] GetTickCount () returned 0x115bbab [0106.366] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0106.366] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0106.366] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7c87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.366] SetLastError (dwErrCode=0x0) [0106.366] WriteFile (in: hFile=0x274, lpBuffer=0x29d1408*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1408*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.367] GetLastError () returned 0x0 [0106.367] GetLastError () returned 0x0 [0106.367] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7d87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.367] WriteFile (in: hFile=0x274, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.367] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x7e87, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.367] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a649350, dwHighDateTime=0x1d5f971)) [0106.367] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be18 [0106.367] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.367] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.368] GetProcessHeap () returned 0xbc0000 [0106.368] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7c87) returned 0xbf3640 [0106.369] GetSystemDefaultLangID () returned 0xbd0409 [0106.369] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.369] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x7c87, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x7c87, lpOverlapped=0x0) returned 1 [0106.371] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.371] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x7c87, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x7c87, lpOverlapped=0x0) returned 1 [0106.371] GetProcessHeap () returned 0xbc0000 [0106.371] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.371] CloseHandle (hObject=0x274) returned 1 [0106.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1408 | out: hHeap=0x2680000) returned 1 [0106.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0106.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e150 | out: hHeap=0x2680000) returned 1 [0106.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.371] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0106.371] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\sErhpIr4fqgty3Y2GWQ.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\serhpir4fqgty3y2gwq.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\sErhpIr4fqgty3Y2GWQ.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\serhpir4fqgty3y2gwq.m4a.nefilim")) returned 1 [0106.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0106.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.372] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xefa9c040, ftCreationTime.dwHighDateTime=0x1d5e0cb, ftLastAccessTime.dwLowDateTime=0xd7e6c050, ftLastAccessTime.dwHighDateTime=0x1d5e168, ftLastWriteTime.dwLowDateTime=0xd7e6c050, ftLastWriteTime.dwHighDateTime=0x1d5e168, nFileSizeHigh=0x0, nFileSizeLow=0x1cf8, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="yWMOkaR-bKkYa7.mp3", cAlternateFileName="YWMOKA~1.MP3")) returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2=".") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="..") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="...") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="windows") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="rsa") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="NTDETECT.COM") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="ntldr") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="MSDOS.SYS") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="IO.SYS") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="boot.ini") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="ntuser.dat") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="desktop.ini") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="CONFIG.SYS") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="RECYCLER") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="bootmgr") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="programdata") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="appdata") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="program files") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="program files (x86)") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="microsoft") returned 1 [0106.372] lstrcmpiW (lpString1="yWMOkaR-bKkYa7.mp3", lpString2="sophos") returned 1 [0106.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0106.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.373] PathFindExtensionW (pszPath="yWMOkaR-bKkYa7.mp3") returned=".mp3" [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.373] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.373] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dc70260, ftCreationTime.dwHighDateTime=0x1d5e7ea, ftLastAccessTime.dwLowDateTime=0x24ca66f0, ftLastAccessTime.dwHighDateTime=0x1d5f097, ftLastWriteTime.dwLowDateTime=0x24ca66f0, ftLastWriteTime.dwHighDateTime=0x1d5f097, nFileSizeHigh=0x0, nFileSizeLow=0x14840, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="ZfjXRhmL4lKRiw.m4a", cAlternateFileName="ZFJXRH~1.M4A")) returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2=".") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="..") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="...") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="windows") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="rsa") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="NTDETECT.COM") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="ntldr") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="MSDOS.SYS") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="IO.SYS") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="boot.ini") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="ntuser.dat") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="desktop.ini") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="CONFIG.SYS") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="RECYCLER") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="bootmgr") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="programdata") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="appdata") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="program files") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="program files (x86)") returned 1 [0106.373] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="microsoft") returned 1 [0106.374] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="sophos") returned 1 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.374] PathFindExtensionW (pszPath="ZfjXRhmL4lKRiw.m4a") returned=".m4a" [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.374] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.374] lstrcmpiW (lpString1="ZfjXRhmL4lKRiw.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0106.374] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\ZfjXRhmL4lKRiw.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\zfjxrhml4lkriw.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0106.374] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=84032) returned 1 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0106.374] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.374] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0106.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.375] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25be478*=0x100) returned 1 [0106.376] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25be474*=0x100) returned 1 [0106.377] GetTickCount () returned 0x115bbab [0106.377] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0106.378] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0106.378] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14840, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.378] SetLastError (dwErrCode=0x0) [0106.378] WriteFile (in: hFile=0x274, lpBuffer=0x29d0dd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d0dd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.378] GetLastError () returned 0x0 [0106.378] GetLastError () returned 0x0 [0106.378] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14940, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.378] WriteFile (in: hFile=0x274, lpBuffer=0x29d1d50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d1d50*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0106.379] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x14a40, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.379] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3a649350, dwHighDateTime=0x1d5f971)) [0106.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be08 [0106.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.379] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0106.444] GetProcessHeap () returned 0xbc0000 [0106.444] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14840) returned 0xbf3640 [0106.444] GetSystemDefaultLangID () returned 0xbd0409 [0106.444] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.444] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x14840, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x14840, lpOverlapped=0x0) returned 1 [0106.449] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.449] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x14840, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x14840, lpOverlapped=0x0) returned 1 [0106.450] GetProcessHeap () returned 0xbc0000 [0106.450] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0106.450] CloseHandle (hObject=0x274) returned 1 [0106.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0dd8 | out: hHeap=0x2680000) returned 1 [0106.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1d50 | out: hHeap=0x2680000) returned 1 [0106.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.450] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0f0 | out: hHeap=0x2680000) returned 1 [0106.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.450] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\ZfjXRhmL4lKRiw.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\zfjxrhml4lkriw.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\UWkQi\\vksE\\ZfjXRhmL4lKRiw.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uwkqi\\vkse\\zfjxrhml4lkriw.m4a.nefilim")) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.451] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6dc70260, ftCreationTime.dwHighDateTime=0x1d5e7ea, ftLastAccessTime.dwLowDateTime=0x24ca66f0, ftLastAccessTime.dwHighDateTime=0x1d5f097, ftLastWriteTime.dwLowDateTime=0x24ca66f0, ftLastWriteTime.dwHighDateTime=0x1d5f097, nFileSizeHigh=0x0, nFileSizeLow=0x14840, dwReserved0=0x26804b8, dwReserved1=0x78, cFileName="ZfjXRhmL4lKRiw.m4a", cAlternateFileName="ZFJXRH~1.M4A")) returned 0 [0106.451] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0106.451] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xbd0bc590, ftCreationTime.dwHighDateTime=0x1d5ea56, ftLastAccessTime.dwLowDateTime=0x57131f10, ftLastAccessTime.dwHighDateTime=0x1d5ebd5, ftLastWriteTime.dwLowDateTime=0x57131f10, ftLastWriteTime.dwHighDateTime=0x1d5ebd5, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="vksE", cAlternateFileName="")) returned 0 [0106.451] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0106.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.451] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ed8c1a0, ftCreationTime.dwHighDateTime=0x1d5e0d9, ftLastAccessTime.dwLowDateTime=0xcd87ffd0, ftLastAccessTime.dwHighDateTime=0x1d5ed01, ftLastWriteTime.dwLowDateTime=0xcd87ffd0, ftLastWriteTime.dwHighDateTime=0x1d5ed01, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="uyjpA9To2EHiH", cAlternateFileName="UYJPA9~1")) returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2=".") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="..") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="...") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="windows") returned -1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="$RECYCLE.BIN") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="rsa") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="NTDETECT.COM") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="ntldr") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="MSDOS.SYS") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="IO.SYS") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="boot.ini") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="AUTOEXEC.BAT") returned 1 [0106.451] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="ntuser.dat") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="desktop.ini") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="CONFIG.SYS") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="RECYCLER") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="BOOTSECT.BAK") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="bootmgr") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="programdata") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="appdata") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="program files") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="program files (x86)") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="microsoft") returned 1 [0106.452] lstrcmpiW (lpString1="uyjpA9To2EHiH", lpString2="sophos") returned 1 [0106.452] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0106.452] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.452] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.452] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0106.452] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.452] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Music\\uyjpA9To2EHiH\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ed8c1a0, ftCreationTime.dwHighDateTime=0x1d5e0d9, ftLastAccessTime.dwLowDateTime=0xcd87ffd0, ftLastAccessTime.dwHighDateTime=0x1d5ed01, ftLastWriteTime.dwLowDateTime=0xcd87ffd0, ftLastWriteTime.dwHighDateTime=0x1d5ed01, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2708 [0106.452] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.452] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2ed8c1a0, ftCreationTime.dwHighDateTime=0x1d5e0d9, ftLastAccessTime.dwLowDateTime=0xcd87ffd0, ftLastAccessTime.dwHighDateTime=0x1d5ed01, ftLastWriteTime.dwLowDateTime=0xcd87ffd0, ftLastWriteTime.dwHighDateTime=0x1d5ed01, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0106.452] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.452] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.453] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3943dd80, ftCreationTime.dwHighDateTime=0x1d5eec3, ftLastAccessTime.dwLowDateTime=0xc9556320, ftLastAccessTime.dwHighDateTime=0x1d5eb13, ftLastWriteTime.dwLowDateTime=0xc9556320, ftLastWriteTime.dwHighDateTime=0x1d5eb13, nFileSizeHigh=0x0, nFileSizeLow=0x4e7e, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="cChQFzM.mp3", cAlternateFileName="")) returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2=".") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="..") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="...") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="windows") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="rsa") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="NTDETECT.COM") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="ntldr") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="MSDOS.SYS") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="IO.SYS") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="boot.ini") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="ntuser.dat") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="desktop.ini") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="CONFIG.SYS") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="RECYCLER") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="bootmgr") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="programdata") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="appdata") returned 1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="program files") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="program files (x86)") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="microsoft") returned -1 [0106.453] lstrcmpiW (lpString1="cChQFzM.mp3", lpString2="sophos") returned -1 [0106.453] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0106.453] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.454] PathFindExtensionW (pszPath="cChQFzM.mp3") returned=".mp3" [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.454] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.454] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf231a430, ftCreationTime.dwHighDateTime=0x1d5e61c, ftLastAccessTime.dwLowDateTime=0x299bcd00, ftLastAccessTime.dwHighDateTime=0x1d5e321, ftLastWriteTime.dwLowDateTime=0x299bcd00, ftLastWriteTime.dwHighDateTime=0x1d5e321, nFileSizeHigh=0x0, nFileSizeLow=0x13b4d, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="wT26lE-E.m4a", cAlternateFileName="")) returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2=".") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="..") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="...") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="windows") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="$RECYCLE.BIN") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="rsa") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="NTDETECT.COM") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="ntldr") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="MSDOS.SYS") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="IO.SYS") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="boot.ini") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="AUTOEXEC.BAT") returned 1 [0106.454] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="ntuser.dat") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="desktop.ini") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="CONFIG.SYS") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="RECYCLER") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="BOOTSECT.BAK") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="bootmgr") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="programdata") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="appdata") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="program files") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="program files (x86)") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="microsoft") returned 1 [0106.455] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="sophos") returned 1 [0106.455] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.455] PathFindExtensionW (pszPath="wT26lE-E.m4a") returned=".m4a" [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".exe") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".log") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".cab") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".cmd") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".com") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".cpl") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".ini") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".dll") returned 1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".url") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".ttf") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".mp3") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".pif") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".mp4") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".NEFILIM") returned -1 [0106.455] lstrcmpiW (lpString1=".m4a", lpString2=".msi") returned -1 [0106.456] lstrcmpiW (lpString1=".m4a", lpString2=".lnk") returned 1 [0106.456] lstrcmpiW (lpString1="wT26lE-E.m4a", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0106.456] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Music\\uyjpA9To2EHiH\\wT26lE-E.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uyjpa9to2ehih\\wt26le-e.m4a"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.456] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=80717) returned 1 [0106.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.456] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.456] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0106.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0106.456] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.458] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.460] GetTickCount () returned 0x115bc09 [0106.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0106.460] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0106.460] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13b4d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.460] SetLastError (dwErrCode=0x0) [0106.460] WriteFile (in: hFile=0x270, lpBuffer=0x29d0598*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d0598*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.462] GetLastError () returned 0x0 [0106.462] GetLastError () returned 0x0 [0106.462] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13c4d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.462] WriteFile (in: hFile=0x270, lpBuffer=0x29d1618*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1618*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.462] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13d4d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.462] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3a72e1b2, dwHighDateTime=0x1d5f971)) [0106.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.462] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.462] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.462] GetProcessHeap () returned 0xbc0000 [0106.462] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13b4d) returned 0xbf2638 [0106.462] GetSystemDefaultLangID () returned 0xbd0409 [0106.462] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.462] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13b4d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13b4d, lpOverlapped=0x0) returned 1 [0106.469] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.469] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13b4d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13b4d, lpOverlapped=0x0) returned 1 [0106.469] GetProcessHeap () returned 0xbc0000 [0106.469] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.469] CloseHandle (hObject=0x270) returned 1 [0106.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d0598 | out: hHeap=0x2680000) returned 1 [0106.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1618 | out: hHeap=0x2680000) returned 1 [0106.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e0c0 | out: hHeap=0x2680000) returned 1 [0106.469] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e1c8 | out: hHeap=0x2680000) returned 1 [0106.469] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0106.470] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Music\\uyjpA9To2EHiH\\wT26lE-E.m4a" (normalized: "c:\\users\\fd1hvy\\music\\uyjpa9to2ehih\\wt26le-e.m4a"), lpNewFileName="C:\\Users\\FD1HVy\\Music\\uyjpA9To2EHiH\\wT26lE-E.m4a.NEFILIM" (normalized: "c:\\users\\fd1hvy\\music\\uyjpa9to2ehih\\wt26le-e.m4a.nefilim")) returned 1 [0106.470] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.470] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.470] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf231a430, ftCreationTime.dwHighDateTime=0x1d5e61c, ftLastAccessTime.dwLowDateTime=0x299bcd00, ftLastAccessTime.dwHighDateTime=0x1d5e321, ftLastWriteTime.dwLowDateTime=0x299bcd00, ftLastWriteTime.dwHighDateTime=0x1d5e321, nFileSizeHigh=0x0, nFileSizeLow=0x13b4d, dwReserved0=0x26804b8, dwReserved1=0x0, cFileName="wT26lE-E.m4a", cAlternateFileName="")) returned 0 [0106.470] FindClose (in: hFindFile=0xbe2708 | out: hFindFile=0xbe2708) returned 1 [0106.471] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.471] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0106.471] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.471] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0e590, ftCreationTime.dwHighDateTime=0x1d5f113, ftLastAccessTime.dwLowDateTime=0x186ec150, ftLastAccessTime.dwHighDateTime=0x1d5e28f, ftLastWriteTime.dwLowDateTime=0x186ec150, ftLastWriteTime.dwHighDateTime=0x1d5e28f, nFileSizeHigh=0x0, nFileSizeLow=0x4f36, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="YzMrx.mp3", cAlternateFileName="")) returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2=".") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="..") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="...") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="windows") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="$RECYCLE.BIN") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="rsa") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="NTDETECT.COM") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="ntldr") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="MSDOS.SYS") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="IO.SYS") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="boot.ini") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="AUTOEXEC.BAT") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="ntuser.dat") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="desktop.ini") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="CONFIG.SYS") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="RECYCLER") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="BOOTSECT.BAK") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="bootmgr") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="programdata") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="appdata") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="program files") returned 1 [0106.471] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="program files (x86)") returned 1 [0106.472] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="microsoft") returned 1 [0106.472] lstrcmpiW (lpString1="YzMrx.mp3", lpString2="sophos") returned 1 [0106.472] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.472] PathFindExtensionW (pszPath="YzMrx.mp3") returned=".mp3" [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".exe") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".log") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".cab") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".cmd") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".com") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".cpl") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".ini") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".dll") returned 1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".url") returned -1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".ttf") returned -1 [0106.472] lstrcmpiW (lpString1=".mp3", lpString2=".mp3") returned 0 [0106.472] FindNextFileW (in: hFindFile=0xbe27c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0e590, ftCreationTime.dwHighDateTime=0x1d5f113, ftLastAccessTime.dwLowDateTime=0x186ec150, ftLastAccessTime.dwHighDateTime=0x1d5e28f, ftLastWriteTime.dwLowDateTime=0x186ec150, ftLastWriteTime.dwHighDateTime=0x1d5e28f, nFileSizeHigh=0x0, nFileSizeLow=0x4f36, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="YzMrx.mp3", cAlternateFileName="")) returned 0 [0106.472] FindClose (in: hFindFile=0xbe27c8 | out: hFindFile=0xbe27c8) returned 1 [0106.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0106.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0106.472] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="My Documents", cAlternateFileName="MYDOCU~1")) returned 1 [0106.472] lstrcmpiW (lpString1="My Documents", lpString2=".") returned 1 [0106.472] lstrcmpiW (lpString1="My Documents", lpString2="..") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="...") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="windows") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="$RECYCLE.BIN") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="rsa") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="NTDETECT.COM") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="ntldr") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="MSDOS.SYS") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="IO.SYS") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="boot.ini") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="AUTOEXEC.BAT") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="ntuser.dat") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="desktop.ini") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="CONFIG.SYS") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="RECYCLER") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="BOOTSECT.BAK") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="bootmgr") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="programdata") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="appdata") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="program files") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="program files (x86)") returned -1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="microsoft") returned 1 [0106.496] lstrcmpiW (lpString1="My Documents", lpString2="sophos") returned -1 [0106.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0106.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0106.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.497] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\My Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0e590, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x186ec150, ftLastAccessTime.dwHighDateTime=0x1d5e28f, ftLastWriteTime.dwLowDateTime=0x186ec150, ftLastWriteTime.dwHighDateTime=0x1d5e28f, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x22000022, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨᒸɨ:")) returned 0xffffffff [0106.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0106.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.497] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NetHood", cAlternateFileName="")) returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2=".") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="..") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="...") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="windows") returned -1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="$RECYCLE.BIN") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="rsa") returned -1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="NTDETECT.COM") returned -1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="ntldr") returned -1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="MSDOS.SYS") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="IO.SYS") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="boot.ini") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="AUTOEXEC.BAT") returned 1 [0106.497] lstrcmpiW (lpString1="NetHood", lpString2="ntuser.dat") returned -1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="desktop.ini") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="CONFIG.SYS") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="RECYCLER") returned -1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="BOOTSECT.BAK") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="bootmgr") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="programdata") returned -1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="appdata") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="program files") returned -1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="program files (x86)") returned -1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="microsoft") returned 1 [0106.498] lstrcmpiW (lpString1="NetHood", lpString2="sophos") returned -1 [0106.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0106.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x2681278 [0106.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0106.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c8 [0106.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.498] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\NetHood\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcb0e590, ftCreationTime.dwHighDateTime=0x2000002, ftLastAccessTime.dwLowDateTime=0x186ec150, ftLastAccessTime.dwHighDateTime=0xa00000a, ftLastWriteTime.dwLowDateTime=0x186ec150, ftLastWriteTime.dwHighDateTime=0x1d5e28f, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ0")) returned 0xffffffff [0106.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c8 | out: hHeap=0x2680000) returned 1 [0106.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.498] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x6c4d382c, ftLastAccessTime.dwHighDateTime=0x1d5e877, ftLastWriteTime.dwLowDateTime=0x6c4d382c, ftLastWriteTime.dwHighDateTime=0x1d5e877, nFileSizeHigh=0x0, nFileSizeLow=0x300000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT", cAlternateFileName="")) returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2=".") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="..") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="...") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="windows") returned -1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="$RECYCLE.BIN") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="rsa") returned -1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="NTDETECT.COM") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntldr") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="MSDOS.SYS") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="IO.SYS") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="boot.ini") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="AUTOEXEC.BAT") returned 1 [0106.499] lstrcmpiW (lpString1="NTUSER.DAT", lpString2="ntuser.dat") returned 0 [0106.499] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0xa9000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG1", cAlternateFileName="NTUSER~1.LOG")) returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2=".") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="..") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="...") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="windows") returned -1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="$RECYCLE.BIN") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="rsa") returned -1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NTDETECT.COM") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntldr") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="MSDOS.SYS") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="IO.SYS") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="boot.ini") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="AUTOEXEC.BAT") returned 1 [0106.499] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="ntuser.dat") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="desktop.ini") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="CONFIG.SYS") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="RECYCLER") returned -1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="BOOTSECT.BAK") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="bootmgr") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="programdata") returned -1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="appdata") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files") returned -1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="program files (x86)") returned -1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="microsoft") returned 1 [0106.500] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="sophos") returned -1 [0106.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.500] PathFindExtensionW (pszPath="ntuser.dat.LOG1") returned=".LOG1" [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".exe") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".log") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".cab") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".cmd") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".com") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".cpl") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".ini") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".dll") returned 1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".url") returned -1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".ttf") returned -1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".mp3") returned -1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".pif") returned -1 [0106.500] lstrcmpiW (lpString1=".LOG1", lpString2=".mp4") returned -1 [0106.501] lstrcmpiW (lpString1=".LOG1", lpString2=".NEFILIM") returned -1 [0106.501] lstrcmpiW (lpString1=".LOG1", lpString2=".msi") returned -1 [0106.501] lstrcmpiW (lpString1=".LOG1", lpString2=".lnk") returned 1 [0106.501] lstrcmpiW (lpString1="ntuser.dat.LOG1", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.501] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG1" (normalized: "c:\\users\\fd1hvy\\ntuser.dat.log1"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0106.501] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0106.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e150 [0106.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0c0 [0106.501] SystemFunction036 (in: RandomBuffer=0x268e150, RandomBufferLength=0x10 | out: RandomBuffer=0x268e150) returned 1 [0106.501] SystemFunction036 (in: RandomBuffer=0x268e0c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0c0) returned 1 [0106.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1d50 [0106.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0598 [0106.502] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1d50*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1d50*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0106.502] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0598*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0598*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0106.556] GetTickCount () returned 0x115bc67 [0106.556] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0106.556] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0106.556] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0106.556] SetLastError (dwErrCode=0x0) [0106.556] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1d50, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0106.557] GetLastError () returned 0x6 [0106.557] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.557] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x21204700, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.dat.LOG2", cAlternateFileName="NTUSER~2.LOG")) returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2=".") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="..") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="...") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="windows") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="$RECYCLE.BIN") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="rsa") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NTDETECT.COM") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntldr") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="MSDOS.SYS") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="IO.SYS") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="boot.ini") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="AUTOEXEC.BAT") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="ntuser.dat") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="desktop.ini") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="CONFIG.SYS") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="RECYCLER") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="BOOTSECT.BAK") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="bootmgr") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="programdata") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="appdata") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="program files (x86)") returned -1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="microsoft") returned 1 [0106.557] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="sophos") returned -1 [0106.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.558] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.558] PathFindExtensionW (pszPath="ntuser.dat.LOG2") returned=".LOG2" [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".exe") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".log") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".cab") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".cmd") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".com") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".cpl") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".ini") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".dll") returned 1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".url") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".ttf") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".mp3") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".pif") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".mp4") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".NEFILIM") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".msi") returned -1 [0106.558] lstrcmpiW (lpString1=".LOG2", lpString2=".lnk") returned 1 [0106.558] lstrcmpiW (lpString1="ntuser.dat.LOG2", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.558] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.558] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\ntuser.dat.LOG2" (normalized: "c:\\users\\fd1hvy\\ntuser.dat.log2"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0106.559] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0106.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0f0 [0106.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e0d8 [0106.559] SystemFunction036 (in: RandomBuffer=0x268e0f0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0f0) returned 1 [0106.559] SystemFunction036 (in: RandomBuffer=0x268e0d8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e0d8) returned 1 [0106.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0178 [0106.559] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ac0 [0106.559] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0178*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0178*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0106.561] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ac0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ac0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0106.563] GetTickCount () returned 0x115bc67 [0106.563] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0106.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0106.563] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0106.563] SetLastError (dwErrCode=0x0) [0106.563] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0178, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0106.564] GetLastError () returned 0x6 [0106.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.564] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x21204700, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x21204700, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", cAlternateFileName="NTUSER~1.BLF")) returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2=".") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="..") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="...") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="windows") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="$RECYCLE.BIN") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="rsa") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NTDETECT.COM") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntldr") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="MSDOS.SYS") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="IO.SYS") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="boot.ini") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="AUTOEXEC.BAT") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="ntuser.dat") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="desktop.ini") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="CONFIG.SYS") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="RECYCLER") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="BOOTSECT.BAK") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="bootmgr") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="programdata") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="appdata") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="program files (x86)") returned -1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="microsoft") returned 1 [0106.564] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="sophos") returned -1 [0106.565] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x26804b8 [0106.565] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.565] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf") returned=".blf" [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".exe") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".log") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".cab") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".cmd") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".com") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".cpl") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".ini") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".dll") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".url") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".ttf") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".mp3") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".pif") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".mp4") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".NEFILIM") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".msi") returned -1 [0106.565] lstrcmpiW (lpString1=".blf", lpString2=".lnk") returned -1 [0106.565] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.565] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x2681278 [0106.565] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TM.blf" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tm.blf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0106.566] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0106.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e168 [0106.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e1c8 [0106.566] SystemFunction036 (in: RandomBuffer=0x268e168, RandomBufferLength=0x10 | out: RandomBuffer=0x268e168) returned 1 [0106.566] SystemFunction036 (in: RandomBuffer=0x268e1c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e1c8) returned 1 [0106.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0dd8 [0106.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0ee0 [0106.566] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0dd8*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0dd8*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0106.568] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d0ee0*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0106.570] GetTickCount () returned 0x115bc76 [0106.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0106.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0106.570] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0106.571] SetLastError (dwErrCode=0x0) [0106.571] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0dd8, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0106.571] GetLastError () returned 0x6 [0106.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.571] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="NTUSER~1.REG")) returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2=".") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="..") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="...") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="windows") returned -1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="rsa") returned -1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntldr") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="IO.SYS") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="boot.ini") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="ntuser.dat") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="desktop.ini") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="RECYCLER") returned -1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="bootmgr") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="programdata") returned -1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="appdata") returned 1 [0106.571] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files") returned -1 [0106.572] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="program files (x86)") returned -1 [0106.572] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="microsoft") returned 1 [0106.572] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="sophos") returned -1 [0106.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0106.572] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.572] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms") returned=".regtrans-ms" [0106.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x268e3d0 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0106.572] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0106.572] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0106.572] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000001.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000001.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0106.573] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0106.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e210 [0106.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2a0 [0106.573] SystemFunction036 (in: RandomBuffer=0x268e210, RandomBufferLength=0x10 | out: RandomBuffer=0x268e210) returned 1 [0106.573] SystemFunction036 (in: RandomBuffer=0x268e2a0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2a0) returned 1 [0106.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d0388 [0106.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1b40 [0106.573] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d0388*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d0388*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0106.575] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1b40*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1b40*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0106.577] GetTickCount () returned 0x115bc76 [0106.577] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0106.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0106.577] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0106.577] SetLastError (dwErrCode=0x0) [0106.577] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d0388, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0106.577] GetLastError () returned 0x6 [0106.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3d0 | out: hHeap=0x2680000) returned 1 [0106.578] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x2122a949, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x2122a949, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4edc6408, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="NTUSER~2.REG")) returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2=".") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="..") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="...") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="windows") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="$RECYCLE.BIN") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="rsa") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NTDETECT.COM") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntldr") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="MSDOS.SYS") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="IO.SYS") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="boot.ini") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="AUTOEXEC.BAT") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="ntuser.dat") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="desktop.ini") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="CONFIG.SYS") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="RECYCLER") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="BOOTSECT.BAK") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="bootmgr") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="programdata") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="appdata") returned 1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="program files (x86)") returned -1 [0106.578] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="microsoft") returned 1 [0106.579] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="sophos") returned -1 [0106.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x26804b8 [0106.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.579] PathFindExtensionW (pszPath="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms") returned=".regtrans-ms" [0106.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".exe") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".log") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cab") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cmd") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".com") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".cpl") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ini") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".dll") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".url") returned -1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".ttf") returned -1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp3") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".pif") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".mp4") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".NEFILIM") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".msi") returned 1 [0106.579] lstrcmpiW (lpString1=".regtrans-ms", lpString2=".lnk") returned 1 [0106.579] lstrcmpiW (lpString1="NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268e2e8 [0106.579] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\NTUSER.DAT{fae9930d-933c-11e7-a51d-b808901d6c9b}.TMContainer00000000000000000002.regtrans-ms" (normalized: "c:\\users\\fd1hvy\\ntuser.dat{fae9930d-933c-11e7-a51d-b808901d6c9b}.tmcontainer00000000000000000002.regtrans-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0106.580] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=75031468087965748) returned 0 [0106.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e240 [0106.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2b8 [0106.580] SystemFunction036 (in: RandomBuffer=0x268e240, RandomBufferLength=0x10 | out: RandomBuffer=0x268e240) returned 1 [0106.580] SystemFunction036 (in: RandomBuffer=0x268e2b8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2b8) returned 1 [0106.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1408 [0106.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1618 [0106.580] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1408*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0106.582] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1618*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d1618*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0106.584] GetTickCount () returned 0x115bc86 [0106.584] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0106.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0106.584] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0106.584] SetLastError (dwErrCode=0x0) [0106.584] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1408, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0) returned 0 [0106.584] GetLastError () returned 0x6 [0106.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.584] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xc1adea7d, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xc1adea7d, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xc1adea7d, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x14, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="ntuser.ini", cAlternateFileName="")) returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2=".") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="..") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="...") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="windows") returned -1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="$RECYCLE.BIN") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="rsa") returned -1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="NTDETECT.COM") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntldr") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="MSDOS.SYS") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="IO.SYS") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="boot.ini") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="AUTOEXEC.BAT") returned 1 [0106.584] lstrcmpiW (lpString1="ntuser.ini", lpString2="ntuser.dat") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="desktop.ini") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="CONFIG.SYS") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="RECYCLER") returned -1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="BOOTSECT.BAK") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="bootmgr") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="programdata") returned -1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="appdata") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files") returned -1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="program files (x86)") returned -1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="microsoft") returned 1 [0106.585] lstrcmpiW (lpString1="ntuser.ini", lpString2="sophos") returned -1 [0106.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.585] PathFindExtensionW (pszPath="ntuser.ini") returned=".ini" [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0106.585] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0106.585] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2=".") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="..") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="...") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="windows") returned -1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="$RECYCLE.BIN") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="rsa") returned -1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="NTDETECT.COM") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="ntldr") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="MSDOS.SYS") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="IO.SYS") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="boot.ini") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="AUTOEXEC.BAT") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="ntuser.dat") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="desktop.ini") returned 1 [0106.585] lstrcmpiW (lpString1="OneDrive", lpString2="CONFIG.SYS") returned 1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="RECYCLER") returned -1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="BOOTSECT.BAK") returned 1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="bootmgr") returned 1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="programdata") returned -1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="appdata") returned 1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="program files") returned -1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="program files (x86)") returned -1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="microsoft") returned 1 [0106.586] lstrcmpiW (lpString1="OneDrive", lpString2="sophos") returned -1 [0106.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.586] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0106.586] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.586] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\OneDrive\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName=".", cAlternateFileName="")) returned 0xbe2708 [0106.586] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.586] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd4516574, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x94022772, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="..", cAlternateFileName="")) returned 1 [0106.586] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.586] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.586] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0106.586] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0106.587] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0106.587] FindNextFileW (in: hFindFile=0xbe2708, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x3f0f0bc5, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x3f0f0bc5, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x93ef127a, ftLastWriteTime.dwHighDateTime=0x1d39f5d, nFileSizeHigh=0x0, nFileSizeLow=0x61, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0106.587] FindClose (in: hFindFile=0xbe2708 | out: hFindFile=0xbe2708) returned 1 [0106.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0106.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0106.587] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58e5e5e, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58e5e5e, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0106.587] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0106.588] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0106.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0106.588] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0106.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0106.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0106.588] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.588] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58e5e5e, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58e5e5e, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0106.588] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.588] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58e5e5e, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58e5e5e, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="..", cAlternateFileName="")) returned 1 [0106.588] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.588] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.588] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26b59cb0, ftCreationTime.dwHighDateTime=0x1d5e484, ftLastAccessTime.dwLowDateTime=0x46d60560, ftLastAccessTime.dwHighDateTime=0x1d5e895, ftLastWriteTime.dwLowDateTime=0x46d60560, ftLastWriteTime.dwHighDateTime=0x1d5e895, nFileSizeHigh=0x0, nFileSizeLow=0x11d4, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="-UJEybw9kfeMGz.bmp", cAlternateFileName="-UJEYB~1.BMP")) returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2=".") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="..") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="...") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="windows") returned -1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="$RECYCLE.BIN") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="rsa") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="NTDETECT.COM") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="ntldr") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="MSDOS.SYS") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="IO.SYS") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="boot.ini") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="ntuser.dat") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="desktop.ini") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="CONFIG.SYS") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="RECYCLER") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="BOOTSECT.BAK") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="bootmgr") returned 1 [0106.588] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="programdata") returned 1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="appdata") returned 1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="program files") returned 1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="program files (x86)") returned 1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="microsoft") returned 1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="sophos") returned 1 [0106.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680500 [0106.589] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.589] PathFindExtensionW (pszPath="-UJEybw9kfeMGz.bmp") returned=".bmp" [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0106.589] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0106.589] lstrcmpiW (lpString1="-UJEybw9kfeMGz.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0106.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0106.589] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\-UJEybw9kfeMGz.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\-ujeybw9kfemgz.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0106.589] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=4564) returned 1 [0106.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0106.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.590] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0106.590] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0106.590] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0106.592] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0106.592] GetTickCount () returned 0x115bc86 [0106.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0106.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0106.592] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.592] SetLastError (dwErrCode=0x0) [0106.592] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.593] GetLastError () returned 0x0 [0106.593] GetLastError () returned 0x0 [0106.593] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x12d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.593] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.593] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x13d4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.593] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a85f471, dwHighDateTime=0x1d5f971)) [0106.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.593] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0106.593] GetProcessHeap () returned 0xbc0000 [0106.593] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11d4) returned 0xbf1630 [0106.593] GetSystemDefaultLangID () returned 0xbd0409 [0106.593] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.593] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x11d4, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x11d4, lpOverlapped=0x0) returned 1 [0106.594] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.594] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x11d4, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x11d4, lpOverlapped=0x0) returned 1 [0106.594] GetProcessHeap () returned 0xbc0000 [0106.594] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0106.594] CloseHandle (hObject=0x26c) returned 1 [0106.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0106.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0106.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0106.594] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\-UJEybw9kfeMGz.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\-ujeybw9kfemgz.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\-UJEybw9kfeMGz.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\-ujeybw9kfemgz.bmp.nefilim")) returned 1 [0106.595] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0106.595] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.595] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe2933d40, ftCreationTime.dwHighDateTime=0x1d5ef9a, ftLastAccessTime.dwLowDateTime=0x7a0e0b30, ftLastAccessTime.dwHighDateTime=0x1d5f0e7, ftLastWriteTime.dwLowDateTime=0x7a0e0b30, ftLastWriteTime.dwHighDateTime=0x1d5f0e7, nFileSizeHigh=0x0, nFileSizeLow=0x16e7c, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="4E 8C-o7B9gj2MRDYU9K.gif", cAlternateFileName="4E8C-O~1.GIF")) returned 1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2=".") returned 1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="..") returned 1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="...") returned 1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="windows") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="$RECYCLE.BIN") returned 1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="rsa") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="NTDETECT.COM") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="ntldr") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="MSDOS.SYS") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="IO.SYS") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="boot.ini") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="AUTOEXEC.BAT") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="ntuser.dat") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="desktop.ini") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="CONFIG.SYS") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="RECYCLER") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="BOOTSECT.BAK") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="bootmgr") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="programdata") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="appdata") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="program files") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="program files (x86)") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="microsoft") returned -1 [0106.595] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="sophos") returned -1 [0106.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0106.595] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0106.596] PathFindExtensionW (pszPath="4E 8C-o7B9gj2MRDYU9K.gif") returned=".gif" [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0106.596] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0106.596] lstrcmpiW (lpString1="4E 8C-o7B9gj2MRDYU9K.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0106.596] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\4E 8C-o7B9gj2MRDYU9K.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4e 8c-o7b9gj2mrdyu9k.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0106.596] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=93820) returned 1 [0106.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0106.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.596] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0106.596] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0106.596] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0106.728] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x100) returned 1 [0106.729] GetTickCount () returned 0x115bd13 [0106.730] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0106.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0106.730] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16e7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.730] SetLastError (dwErrCode=0x0) [0106.730] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.731] GetLastError () returned 0x0 [0106.731] GetLastError () returned 0x0 [0106.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16f7c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.731] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1707c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.731] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3a9b6af6, dwHighDateTime=0x1d5f971)) [0106.731] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.731] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.731] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0106.731] GetProcessHeap () returned 0xbc0000 [0106.731] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16e7c) returned 0xbf1630 [0106.731] GetSystemDefaultLangID () returned 0xbd0409 [0106.731] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.731] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x16e7c, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x16e7c, lpOverlapped=0x0) returned 1 [0106.737] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.737] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x16e7c, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x16e7c, lpOverlapped=0x0) returned 1 [0106.737] GetProcessHeap () returned 0xbc0000 [0106.737] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0106.737] CloseHandle (hObject=0x26c) returned 1 [0106.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0106.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0106.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.737] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.737] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\4E 8C-o7B9gj2MRDYU9K.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\4e 8c-o7b9gj2mrdyu9k.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\4E 8C-o7B9gj2MRDYU9K.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\4e 8c-o7b9gj2mrdyu9k.gif.nefilim")) returned 1 [0106.738] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.738] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.738] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6841abe0, ftCreationTime.dwHighDateTime=0x1d5e418, ftLastAccessTime.dwLowDateTime=0xc2de1510, ftLastAccessTime.dwHighDateTime=0x1d5e74d, ftLastWriteTime.dwLowDateTime=0xc2de1510, ftLastWriteTime.dwHighDateTime=0x1d5e74d, nFileSizeHigh=0x0, nFileSizeLow=0x5480, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="Ack7QXkwxTxO3o-dj-UX.gif", cAlternateFileName="ACK7QX~1.GIF")) returned 1 [0106.738] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2=".") returned 1 [0106.738] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="..") returned 1 [0106.738] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="...") returned 1 [0106.738] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="windows") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="$RECYCLE.BIN") returned 1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="rsa") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="NTDETECT.COM") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="ntldr") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="MSDOS.SYS") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="IO.SYS") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="boot.ini") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="AUTOEXEC.BAT") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="ntuser.dat") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="desktop.ini") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="CONFIG.SYS") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="RECYCLER") returned -1 [0106.827] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="BOOTSECT.BAK") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="bootmgr") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="programdata") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="appdata") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="program files") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="program files (x86)") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="microsoft") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="sophos") returned -1 [0106.828] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0106.828] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.828] PathFindExtensionW (pszPath="Ack7QXkwxTxO3o-dj-UX.gif") returned=".gif" [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0106.828] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0106.828] lstrcmpiW (lpString1="Ack7QXkwxTxO3o-dj-UX.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.828] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0106.828] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\Ack7QXkwxTxO3o-dj-UX.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\ack7qxkwxtxo3o-dj-ux.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0106.829] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=21632) returned 1 [0106.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0106.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.829] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0106.829] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d28b8 [0106.829] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0106.829] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d28b8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d28b8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0106.829] GetTickCount () returned 0x115bd70 [0106.829] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0106.829] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0106.829] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5480, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.829] SetLastError (dwErrCode=0x0) [0106.829] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.830] GetLastError () returned 0x0 [0106.830] GetLastError () returned 0x0 [0106.830] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5580, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.830] WriteFile (in: hFile=0x26c, lpBuffer=0x29d28b8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d28b8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.830] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5680, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.831] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3aa9b5be, dwHighDateTime=0x1d5f971)) [0106.831] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.831] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.831] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0106.831] GetProcessHeap () returned 0xbc0000 [0106.831] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5480) returned 0xbf1630 [0106.831] GetSystemDefaultLangID () returned 0xbd0409 [0106.831] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.831] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x5480, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x5480, lpOverlapped=0x0) returned 1 [0106.832] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.832] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x5480, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x5480, lpOverlapped=0x0) returned 1 [0106.832] GetProcessHeap () returned 0xbc0000 [0106.832] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0106.833] CloseHandle (hObject=0x26c) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d28b8 | out: hHeap=0x2680000) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.833] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.833] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\Ack7QXkwxTxO3o-dj-UX.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\ack7qxkwxtxo3o-dj-ux.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\Ack7QXkwxTxO3o-dj-UX.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\ack7qxkwxtxo3o-dj-ux.gif.nefilim")) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.833] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="Camera Roll", cAlternateFileName="CAMERA~1")) returned 1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2=".") returned 1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="..") returned 1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="...") returned 1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="windows") returned -1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="$RECYCLE.BIN") returned 1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="rsa") returned -1 [0106.833] lstrcmpiW (lpString1="Camera Roll", lpString2="NTDETECT.COM") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="ntldr") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="MSDOS.SYS") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="IO.SYS") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="boot.ini") returned 1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="AUTOEXEC.BAT") returned 1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="ntuser.dat") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="desktop.ini") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="CONFIG.SYS") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="RECYCLER") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="BOOTSECT.BAK") returned 1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="bootmgr") returned 1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="programdata") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="appdata") returned 1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="program files") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="program files (x86)") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="microsoft") returned -1 [0106.834] lstrcmpiW (lpString1="Camera Roll", lpString2="sophos") returned -1 [0106.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.834] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0106.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0106.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0106.834] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0106.834] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Camera Roll\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xbe2908 [0106.836] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.836] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4543, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0106.836] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.836] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.836] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x268e2e8, dwReserved1=0x3000000, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0106.836] FindNextFileW (in: hFindFile=0xbe2908, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51278b1d, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51278b1d, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51278b1d, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x268e2e8, dwReserved1=0x3000000, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0106.836] FindClose (in: hFindFile=0xbe2908 | out: hFindFile=0xbe2908) returned 1 [0106.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0106.836] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.836] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44053085, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44053085, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce2f1526, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0106.836] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0106.837] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0106.837] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7bcae760, ftCreationTime.dwHighDateTime=0x1d5e668, ftLastAccessTime.dwLowDateTime=0x64808cb0, ftLastAccessTime.dwHighDateTime=0x1d5e28d, ftLastWriteTime.dwLowDateTime=0x64808cb0, ftLastWriteTime.dwHighDateTime=0x1d5e28d, nFileSizeHigh=0x0, nFileSizeLow=0xcab9, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="iRhGD9Kr.png", cAlternateFileName="")) returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2=".") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="..") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="...") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="windows") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="$RECYCLE.BIN") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="rsa") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="NTDETECT.COM") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="ntldr") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="MSDOS.SYS") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="IO.SYS") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="boot.ini") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="AUTOEXEC.BAT") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="ntuser.dat") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="desktop.ini") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="CONFIG.SYS") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="RECYCLER") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="BOOTSECT.BAK") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="bootmgr") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="programdata") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="appdata") returned 1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="program files") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="program files (x86)") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="microsoft") returned -1 [0106.837] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="sophos") returned -1 [0106.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0106.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.837] PathFindExtensionW (pszPath="iRhGD9Kr.png") returned=".png" [0106.838] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0106.838] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0106.838] lstrcmpiW (lpString1="iRhGD9Kr.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.838] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\iRhGD9Kr.png" (normalized: "c:\\users\\fd1hvy\\pictures\\irhgd9kr.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0106.838] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=51897) returned 1 [0106.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.838] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.838] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.838] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0106.838] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0106.839] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25beab4*=0x100) returned 1 [0106.839] GetTickCount () returned 0x115bd80 [0106.839] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0106.839] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0106.839] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcab9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.839] SetLastError (dwErrCode=0x0) [0106.839] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.840] GetLastError () returned 0x0 [0106.840] GetLastError () returned 0x0 [0106.840] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xcbb9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.840] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0106.840] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xccb9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.840] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3aac1b6f, dwHighDateTime=0x1d5f971)) [0106.840] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0106.840] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0106.840] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0106.840] GetProcessHeap () returned 0xbc0000 [0106.840] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xcab9) returned 0xbf1630 [0106.840] GetSystemDefaultLangID () returned 0xbd0409 [0106.840] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.840] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xcab9, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xcab9, lpOverlapped=0x0) returned 1 [0106.843] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.843] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xcab9, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xcab9, lpOverlapped=0x0) returned 1 [0106.843] GetProcessHeap () returned 0xbc0000 [0106.843] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0106.844] CloseHandle (hObject=0x26c) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.845] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0106.845] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\iRhGD9Kr.png" (normalized: "c:\\users\\fd1hvy\\pictures\\irhgd9kr.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\iRhGD9Kr.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\irhgd9kr.png.nefilim")) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.845] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0106.845] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdde98790, ftCreationTime.dwHighDateTime=0x1d5e7d4, ftLastAccessTime.dwLowDateTime=0x3615f5a0, ftLastAccessTime.dwHighDateTime=0x1d5e15b, ftLastWriteTime.dwLowDateTime=0x3615f5a0, ftLastWriteTime.dwHighDateTime=0x1d5e15b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="NuVIUAELS", cAlternateFileName="NUVIUA~1")) returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2=".") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="..") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="...") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="windows") returned -1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="$RECYCLE.BIN") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="rsa") returned -1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="NTDETECT.COM") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="ntldr") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="MSDOS.SYS") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="IO.SYS") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="boot.ini") returned 1 [0106.845] lstrcmpiW (lpString1="NuVIUAELS", lpString2="AUTOEXEC.BAT") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="ntuser.dat") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="desktop.ini") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="CONFIG.SYS") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="RECYCLER") returned -1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="BOOTSECT.BAK") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="bootmgr") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="programdata") returned -1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="appdata") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="program files") returned -1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="program files (x86)") returned -1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="microsoft") returned 1 [0106.846] lstrcmpiW (lpString1="NuVIUAELS", lpString2="sophos") returned -1 [0106.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0106.846] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0106.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0106.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0106.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0106.846] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdde98790, ftCreationTime.dwHighDateTime=0x1d5e7d4, ftLastAccessTime.dwLowDateTime=0x3615f5a0, ftLastAccessTime.dwHighDateTime=0x1d5e15b, ftLastWriteTime.dwLowDateTime=0x3615f5a0, ftLastWriteTime.dwHighDateTime=0x1d5e15b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0106.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0106.846] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xdde98790, ftCreationTime.dwHighDateTime=0x1d5e7d4, ftLastAccessTime.dwLowDateTime=0x3615f5a0, ftLastAccessTime.dwHighDateTime=0x1d5e15b, ftLastWriteTime.dwLowDateTime=0x3615f5a0, ftLastWriteTime.dwHighDateTime=0x1d5e15b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="..", cAlternateFileName="")) returned 1 [0106.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0106.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0106.847] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x223a4730, ftCreationTime.dwHighDateTime=0x1d5e939, ftLastAccessTime.dwLowDateTime=0x25d11a30, ftLastAccessTime.dwHighDateTime=0x1d5f0e7, ftLastWriteTime.dwLowDateTime=0x25d11a30, ftLastWriteTime.dwHighDateTime=0x1d5f0e7, nFileSizeHigh=0x0, nFileSizeLow=0x4fdc, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="0U6yC_LK_GV6c5.png", cAlternateFileName="0U6YC_~1.PNG")) returned 1 [0106.847] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2=".") returned 1 [0106.848] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="..") returned 1 [0106.848] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="...") returned 1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="windows") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="$RECYCLE.BIN") returned 1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="rsa") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="NTDETECT.COM") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="ntldr") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="MSDOS.SYS") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="IO.SYS") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="boot.ini") returned -1 [0106.850] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="AUTOEXEC.BAT") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="ntuser.dat") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="desktop.ini") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="CONFIG.SYS") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="RECYCLER") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="BOOTSECT.BAK") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="bootmgr") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="programdata") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="appdata") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="program files") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="program files (x86)") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="microsoft") returned -1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="sophos") returned -1 [0106.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680510 [0106.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.851] PathFindExtensionW (pszPath="0U6yC_LK_GV6c5.png") returned=".png" [0106.851] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0106.851] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0106.851] lstrcmpiW (lpString1="0U6yC_LK_GV6c5.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.851] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\0U6yC_LK_GV6c5.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\0u6yc_lk_gv6c5.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.852] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=20444) returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.852] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.852] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.852] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3200 [0106.852] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.852] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3200*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3200*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.853] GetTickCount () returned 0x115bd90 [0106.853] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0106.853] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0106.853] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4fdc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.853] SetLastError (dwErrCode=0x0) [0106.853] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.854] GetLastError () returned 0x0 [0106.854] GetLastError () returned 0x0 [0106.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x50dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.854] WriteFile (in: hFile=0x270, lpBuffer=0x29d3200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3200*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x51dc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.854] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aae7f66, dwHighDateTime=0x1d5f971)) [0106.854] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0106.854] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.854] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.854] GetProcessHeap () returned 0xbc0000 [0106.854] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4fdc) returned 0xbf2638 [0106.854] GetSystemDefaultLangID () returned 0xbd0409 [0106.854] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.854] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4fdc, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4fdc, lpOverlapped=0x0) returned 1 [0106.855] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.855] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4fdc, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4fdc, lpOverlapped=0x0) returned 1 [0106.855] GetProcessHeap () returned 0xbc0000 [0106.855] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.855] CloseHandle (hObject=0x270) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3200 | out: hHeap=0x2680000) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.856] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.856] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\0U6yC_LK_GV6c5.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\0u6yc_lk_gv6c5.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\0U6yC_LK_GV6c5.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\0u6yc_lk_gv6c5.png.nefilim")) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.856] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.856] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe5736210, ftCreationTime.dwHighDateTime=0x1d5e3ce, ftLastAccessTime.dwLowDateTime=0x5c381830, ftLastAccessTime.dwHighDateTime=0x1d5e606, ftLastWriteTime.dwLowDateTime=0x5c381830, ftLastWriteTime.dwHighDateTime=0x1d5e606, nFileSizeHigh=0x0, nFileSizeLow=0x67ae, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="aExTQt50QpZ.jpg", cAlternateFileName="AEXTQT~1.JPG")) returned 1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2=".") returned 1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="..") returned 1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="...") returned 1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="windows") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="$RECYCLE.BIN") returned 1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="rsa") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="NTDETECT.COM") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="ntldr") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="MSDOS.SYS") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="IO.SYS") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="boot.ini") returned -1 [0106.856] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="AUTOEXEC.BAT") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="ntuser.dat") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="desktop.ini") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="CONFIG.SYS") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="RECYCLER") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="BOOTSECT.BAK") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="bootmgr") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="programdata") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="appdata") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="program files") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="program files (x86)") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="microsoft") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="sophos") returned -1 [0106.857] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.857] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0106.857] PathFindExtensionW (pszPath="aExTQt50QpZ.jpg") returned=".jpg" [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0106.857] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0106.857] lstrcmpiW (lpString1="aExTQt50QpZ.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.857] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0106.857] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\aExTQt50QpZ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\aextqt50qpz.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.858] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=26542) returned 1 [0106.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.858] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.858] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0106.858] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.858] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.858] GetTickCount () returned 0x115bd90 [0106.858] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0106.858] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0106.858] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x67ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.858] SetLastError (dwErrCode=0x0) [0106.858] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.859] GetLastError () returned 0x0 [0106.859] GetLastError () returned 0x0 [0106.859] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x68ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.859] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.859] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x69ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aae7f66, dwHighDateTime=0x1d5f971)) [0106.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0106.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0106.859] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.860] GetProcessHeap () returned 0xbc0000 [0106.860] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x67ae) returned 0xbf2638 [0106.860] GetSystemDefaultLangID () returned 0xbd0409 [0106.860] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.860] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x67ae, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x67ae, lpOverlapped=0x0) returned 1 [0106.861] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.861] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x67ae, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x67ae, lpOverlapped=0x0) returned 1 [0106.861] GetProcessHeap () returned 0xbc0000 [0106.861] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.862] CloseHandle (hObject=0x270) returned 1 [0106.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0106.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.863] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\aExTQt50QpZ.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\aextqt50qpz.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\aExTQt50QpZ.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\aextqt50qpz.jpg.nefilim")) returned 1 [0106.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.863] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2e65f240, ftCreationTime.dwHighDateTime=0x1d5eb03, ftLastAccessTime.dwLowDateTime=0x82192f50, ftLastAccessTime.dwHighDateTime=0x1d5eb4f, ftLastWriteTime.dwLowDateTime=0x82192f50, ftLastWriteTime.dwHighDateTime=0x1d5eb4f, nFileSizeHigh=0x0, nFileSizeLow=0x11260, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="an00CHXD.gif", cAlternateFileName="")) returned 1 [0106.863] lstrcmpiW (lpString1="an00CHXD.gif", lpString2=".") returned 1 [0106.863] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="..") returned 1 [0106.863] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="...") returned 1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="windows") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="$RECYCLE.BIN") returned 1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="rsa") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="NTDETECT.COM") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="ntldr") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="MSDOS.SYS") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="IO.SYS") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="boot.ini") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="AUTOEXEC.BAT") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="ntuser.dat") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="desktop.ini") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="CONFIG.SYS") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="RECYCLER") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="BOOTSECT.BAK") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="bootmgr") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="programdata") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="appdata") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="program files") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="program files (x86)") returned -1 [0106.912] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="microsoft") returned -1 [0106.913] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="sophos") returned -1 [0106.913] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be08 [0106.913] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.913] PathFindExtensionW (pszPath="an00CHXD.gif") returned=".gif" [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0106.913] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0106.913] lstrcmpiW (lpString1="an00CHXD.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.913] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be70 [0106.913] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\an00CHXD.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\an00chxd.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.913] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=70240) returned 1 [0106.913] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.913] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0106.913] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.913] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0106.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.914] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0106.914] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.916] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.918] GetTickCount () returned 0x115bdce [0106.918] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0106.918] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0106.918] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.918] SetLastError (dwErrCode=0x0) [0106.918] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.919] GetLastError () returned 0x0 [0106.919] GetLastError () returned 0x0 [0106.919] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.919] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.919] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11460, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.919] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ab806b8, dwHighDateTime=0x1d5f971)) [0106.919] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0106.919] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.919] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.919] GetProcessHeap () returned 0xbc0000 [0106.919] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11260) returned 0xbf2638 [0106.919] GetSystemDefaultLangID () returned 0xbd0409 [0106.919] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.919] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x11260, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x11260, lpOverlapped=0x0) returned 1 [0106.923] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.923] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x11260, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x11260, lpOverlapped=0x0) returned 1 [0106.923] GetProcessHeap () returned 0xbc0000 [0106.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.923] CloseHandle (hObject=0x270) returned 1 [0106.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0106.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0106.924] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.924] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\an00CHXD.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\an00chxd.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\an00CHXD.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\an00chxd.gif.nefilim")) returned 1 [0106.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be70 | out: hHeap=0x2680000) returned 1 [0106.924] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25862840, ftCreationTime.dwHighDateTime=0x1d5e322, ftLastAccessTime.dwLowDateTime=0xc6f7ef90, ftLastAccessTime.dwHighDateTime=0x1d5e31a, ftLastWriteTime.dwLowDateTime=0xc6f7ef90, ftLastWriteTime.dwHighDateTime=0x1d5e31a, nFileSizeHigh=0x0, nFileSizeLow=0x7463, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="CcJHbYdfkY.png", cAlternateFileName="CCJHBY~1.PNG")) returned 1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2=".") returned 1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="..") returned 1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="...") returned 1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="windows") returned -1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="$RECYCLE.BIN") returned 1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="rsa") returned -1 [0106.924] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="NTDETECT.COM") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="ntldr") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="MSDOS.SYS") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="IO.SYS") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="boot.ini") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="AUTOEXEC.BAT") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="ntuser.dat") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="desktop.ini") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="CONFIG.SYS") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="RECYCLER") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="BOOTSECT.BAK") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="bootmgr") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="programdata") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="appdata") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="program files") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="program files (x86)") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="microsoft") returned -1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="sophos") returned -1 [0106.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.925] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.925] PathFindExtensionW (pszPath="CcJHbYdfkY.png") returned=".png" [0106.925] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0106.925] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0106.925] lstrcmpiW (lpString1="CcJHbYdfkY.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0106.926] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\CcJHbYdfkY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ccjhbydfky.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.926] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=29795) returned 1 [0106.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.926] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.926] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0106.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.926] GetTickCount () returned 0x115bdde [0106.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0106.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0106.927] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7463, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.927] SetLastError (dwErrCode=0x0) [0106.927] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.927] GetLastError () returned 0x0 [0106.927] GetLastError () returned 0x0 [0106.927] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7563, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.927] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.928] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7663, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.928] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aba69b6, dwHighDateTime=0x1d5f971)) [0106.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0106.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0106.928] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.928] GetProcessHeap () returned 0xbc0000 [0106.928] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7463) returned 0xbf2638 [0106.928] GetSystemDefaultLangID () returned 0xbd0409 [0106.928] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.928] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x7463, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x7463, lpOverlapped=0x0) returned 1 [0106.929] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.929] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x7463, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x7463, lpOverlapped=0x0) returned 1 [0106.929] GetProcessHeap () returned 0xbc0000 [0106.930] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.930] CloseHandle (hObject=0x270) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.930] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\CcJHbYdfkY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ccjhbydfky.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\CcJHbYdfkY.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ccjhbydfky.png.nefilim")) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.930] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6083c10, ftCreationTime.dwHighDateTime=0x1d5e1b9, ftLastAccessTime.dwLowDateTime=0x98da5290, ftLastAccessTime.dwHighDateTime=0x1d5e402, ftLastWriteTime.dwLowDateTime=0x98da5290, ftLastWriteTime.dwHighDateTime=0x1d5e402, nFileSizeHigh=0x0, nFileSizeLow=0x9f6c, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="dPl3j-_COUiJpDo oMuv.png", cAlternateFileName="DPL3J-~1.PNG")) returned 1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2=".") returned 1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="..") returned 1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="...") returned 1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="windows") returned -1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="$RECYCLE.BIN") returned 1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="rsa") returned -1 [0106.930] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="NTDETECT.COM") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="ntldr") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="MSDOS.SYS") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="IO.SYS") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="boot.ini") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="AUTOEXEC.BAT") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="ntuser.dat") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="desktop.ini") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="CONFIG.SYS") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="RECYCLER") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="BOOTSECT.BAK") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="bootmgr") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="programdata") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="appdata") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="program files") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="program files (x86)") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="microsoft") returned -1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="sophos") returned -1 [0106.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.931] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.931] PathFindExtensionW (pszPath="dPl3j-_COUiJpDo oMuv.png") returned=".png" [0106.931] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0106.931] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0106.931] lstrcmpiW (lpString1="dPl3j-_COUiJpDo oMuv.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.932] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\dPl3j-_COUiJpDo oMuv.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\dpl3j-_couijpdo omuv.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.932] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=40812) returned 1 [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.932] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.932] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0106.932] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.932] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.932] GetTickCount () returned 0x115bdde [0106.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0106.932] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0106.932] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9f6c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.933] SetLastError (dwErrCode=0x0) [0106.933] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.933] GetLastError () returned 0x0 [0106.933] GetLastError () returned 0x0 [0106.934] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa06c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.934] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.934] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa16c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.934] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aba69b6, dwHighDateTime=0x1d5f971)) [0106.934] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0106.934] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0106.934] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.934] GetProcessHeap () returned 0xbc0000 [0106.934] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9f6c) returned 0xbf2638 [0106.934] GetSystemDefaultLangID () returned 0xbd0409 [0106.934] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.934] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x9f6c, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x9f6c, lpOverlapped=0x0) returned 1 [0106.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.936] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x9f6c, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x9f6c, lpOverlapped=0x0) returned 1 [0106.936] GetProcessHeap () returned 0xbc0000 [0106.936] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.936] CloseHandle (hObject=0x270) returned 1 [0106.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0106.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.936] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0106.936] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0106.936] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\dPl3j-_COUiJpDo oMuv.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\dpl3j-_couijpdo omuv.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\dPl3j-_COUiJpDo oMuv.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\dpl3j-_couijpdo omuv.png.nefilim")) returned 1 [0106.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0106.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.937] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x20899f50, ftCreationTime.dwHighDateTime=0x1d5e149, ftLastAccessTime.dwLowDateTime=0xb404c7e0, ftLastAccessTime.dwHighDateTime=0x1d5ec62, ftLastWriteTime.dwLowDateTime=0xb404c7e0, ftLastWriteTime.dwHighDateTime=0x1d5ec62, nFileSizeHigh=0x0, nFileSizeLow=0xa78a, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="eli64UgCobZ6sd.jpg", cAlternateFileName="ELI64U~1.JPG")) returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2=".") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="..") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="...") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="windows") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="$RECYCLE.BIN") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="rsa") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="NTDETECT.COM") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="ntldr") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="MSDOS.SYS") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="IO.SYS") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="boot.ini") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="ntuser.dat") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="desktop.ini") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="CONFIG.SYS") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="RECYCLER") returned -1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="BOOTSECT.BAK") returned 1 [0106.937] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="bootmgr") returned 1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="programdata") returned -1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="appdata") returned 1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="program files") returned -1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="program files (x86)") returned -1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="microsoft") returned -1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="sophos") returned -1 [0106.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0106.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.938] PathFindExtensionW (pszPath="eli64UgCobZ6sd.jpg") returned=".jpg" [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0106.938] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0106.938] lstrcmpiW (lpString1="eli64UgCobZ6sd.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0106.938] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\eli64UgCobZ6sd.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\eli64ugcobz6sd.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.938] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=42890) returned 1 [0106.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0106.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0106.938] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0106.939] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0106.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0106.939] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.939] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.939] GetTickCount () returned 0x115bdde [0106.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0106.939] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0106.939] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa78a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.939] SetLastError (dwErrCode=0x0) [0106.939] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.940] GetLastError () returned 0x0 [0106.940] GetLastError () returned 0x0 [0106.940] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa88a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.940] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.940] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa98a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.940] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aba69b6, dwHighDateTime=0x1d5f971)) [0106.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0106.940] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0106.940] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.940] GetProcessHeap () returned 0xbc0000 [0106.940] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa78a) returned 0xbf2638 [0106.940] GetSystemDefaultLangID () returned 0xbd0409 [0106.940] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.941] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xa78a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xa78a, lpOverlapped=0x0) returned 1 [0106.943] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.943] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xa78a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xa78a, lpOverlapped=0x0) returned 1 [0106.943] GetProcessHeap () returned 0xbc0000 [0106.943] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0106.945] CloseHandle (hObject=0x270) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0106.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.945] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\eli64UgCobZ6sd.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\eli64ugcobz6sd.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\eli64UgCobZ6sd.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\eli64ugcobz6sd.jpg.nefilim")) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0106.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0106.945] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8add05b0, ftCreationTime.dwHighDateTime=0x1d5e723, ftLastAccessTime.dwLowDateTime=0x4aab9860, ftLastAccessTime.dwHighDateTime=0x1d5f0ee, ftLastWriteTime.dwLowDateTime=0x4aab9860, ftLastWriteTime.dwHighDateTime=0x1d5f0ee, nFileSizeHigh=0x0, nFileSizeLow=0xd3f4, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="f7Y_gVW-VQYDn_lgl_S.png", cAlternateFileName="F7Y_GV~1.PNG")) returned 1 [0106.945] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2=".") returned 1 [0106.945] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="..") returned 1 [0106.945] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="...") returned 1 [0106.945] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="windows") returned -1 [0106.945] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="$RECYCLE.BIN") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="rsa") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="NTDETECT.COM") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="ntldr") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="MSDOS.SYS") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="IO.SYS") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="boot.ini") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="AUTOEXEC.BAT") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="ntuser.dat") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="desktop.ini") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="CONFIG.SYS") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="RECYCLER") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="BOOTSECT.BAK") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="bootmgr") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="programdata") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="appdata") returned 1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="program files") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="program files (x86)") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="microsoft") returned -1 [0106.946] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="sophos") returned -1 [0106.946] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0106.946] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0106.946] PathFindExtensionW (pszPath="f7Y_gVW-VQYDn_lgl_S.png") returned=".png" [0106.946] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0106.946] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0106.947] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0106.947] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0106.947] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0106.947] lstrcmpiW (lpString1="f7Y_gVW-VQYDn_lgl_S.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0106.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0106.947] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\f7Y_gVW-VQYDn_lgl_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\f7y_gvw-vqydn_lgl_s.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0106.947] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=54260) returned 1 [0106.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0106.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0106.947] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0106.947] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0106.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0106.947] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0106.947] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0106.949] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be794*=0x100) returned 1 [0106.949] GetTickCount () returned 0x115bded [0106.949] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0106.949] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0106.949] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd3f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.949] SetLastError (dwErrCode=0x0) [0106.949] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.950] GetLastError () returned 0x0 [0106.950] GetLastError () returned 0x0 [0106.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd4f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.950] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0106.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd5f4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.950] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3abccae0, dwHighDateTime=0x1d5f971)) [0106.950] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0106.950] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0106.950] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0106.950] GetProcessHeap () returned 0xbc0000 [0106.950] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd3f4) returned 0xbf2638 [0106.950] GetSystemDefaultLangID () returned 0xbd0409 [0106.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.950] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xd3f4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xd3f4, lpOverlapped=0x0) returned 1 [0106.954] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0106.954] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xd3f4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xd3f4, lpOverlapped=0x0) returned 1 [0107.006] GetProcessHeap () returned 0xbc0000 [0107.006] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.007] CloseHandle (hObject=0x270) returned 1 [0107.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0107.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0107.065] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\f7Y_gVW-VQYDn_lgl_S.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\f7y_gvw-vqydn_lgl_s.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\f7Y_gVW-VQYDn_lgl_S.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\f7y_gvw-vqydn_lgl_s.png.nefilim")) returned 1 [0107.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0107.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.066] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xda8ffd70, ftCreationTime.dwHighDateTime=0x1d5eb23, ftLastAccessTime.dwLowDateTime=0xec10c860, ftLastAccessTime.dwHighDateTime=0x1d5ecbb, ftLastWriteTime.dwLowDateTime=0xec10c860, ftLastWriteTime.dwHighDateTime=0x1d5ecbb, nFileSizeHigh=0x0, nFileSizeLow=0x970a, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="GSRiB20y9JBiDQi3L7I.png", cAlternateFileName="GSRIB2~1.PNG")) returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2=".") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="..") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="...") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="windows") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="$RECYCLE.BIN") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="rsa") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="NTDETECT.COM") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="ntldr") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="MSDOS.SYS") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="IO.SYS") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="boot.ini") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="ntuser.dat") returned -1 [0107.066] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="desktop.ini") returned 1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="CONFIG.SYS") returned 1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="RECYCLER") returned -1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="BOOTSECT.BAK") returned 1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="bootmgr") returned 1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="programdata") returned -1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="appdata") returned 1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="program files") returned -1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="program files (x86)") returned -1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="microsoft") returned -1 [0107.067] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="sophos") returned -1 [0107.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.067] PathFindExtensionW (pszPath="GSRiB20y9JBiDQi3L7I.png") returned=".png" [0107.067] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.067] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.068] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.068] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.068] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.068] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.068] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.068] lstrcmpiW (lpString1="GSRiB20y9JBiDQi3L7I.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.068] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GSRiB20y9JBiDQi3L7I.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gsrib20y9jbidqi3l7i.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.068] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=38666) returned 1 [0107.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.068] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.068] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0107.068] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.068] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.070] GetTickCount () returned 0x115be6a [0107.070] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0107.070] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0107.070] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x970a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.070] SetLastError (dwErrCode=0x0) [0107.070] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.071] GetLastError () returned 0x0 [0107.071] GetLastError () returned 0x0 [0107.071] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x980a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.071] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.071] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x990a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.071] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3acfdd1f, dwHighDateTime=0x1d5f971)) [0107.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680540 [0107.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680540 | out: hHeap=0x2680000) returned 1 [0107.071] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.071] GetProcessHeap () returned 0xbc0000 [0107.071] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x970a) returned 0xbf2638 [0107.072] GetSystemDefaultLangID () returned 0xbd0409 [0107.072] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.072] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x970a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x970a, lpOverlapped=0x0) returned 1 [0107.075] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.075] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x970a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x970a, lpOverlapped=0x0) returned 1 [0107.075] GetProcessHeap () returned 0xbc0000 [0107.075] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.075] CloseHandle (hObject=0x270) returned 1 [0107.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0107.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0107.075] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GSRiB20y9JBiDQi3L7I.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gsrib20y9jbidqi3l7i.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GSRiB20y9JBiDQi3L7I.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gsrib20y9jbidqi3l7i.png.nefilim")) returned 1 [0107.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0107.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.076] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf1feccc0, ftCreationTime.dwHighDateTime=0x1d5e44d, ftLastAccessTime.dwLowDateTime=0x3c703500, ftLastAccessTime.dwHighDateTime=0x1d5eae3, ftLastWriteTime.dwLowDateTime=0x3c703500, ftLastWriteTime.dwHighDateTime=0x1d5eae3, nFileSizeHigh=0x0, nFileSizeLow=0x15946, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="GzjhebongZebv.jpg", cAlternateFileName="GZJHEB~1.JPG")) returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2=".") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="..") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="...") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="windows") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="$RECYCLE.BIN") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="rsa") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="NTDETECT.COM") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="ntldr") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="MSDOS.SYS") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="IO.SYS") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="boot.ini") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="ntuser.dat") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="desktop.ini") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="CONFIG.SYS") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="RECYCLER") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="BOOTSECT.BAK") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="bootmgr") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="programdata") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="appdata") returned 1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="program files") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="program files (x86)") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="microsoft") returned -1 [0107.076] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="sophos") returned -1 [0107.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.076] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.076] PathFindExtensionW (pszPath="GzjhebongZebv.jpg") returned=".jpg" [0107.076] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0107.076] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0107.076] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0107.076] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0107.076] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0107.077] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0107.077] lstrcmpiW (lpString1="GzjhebongZebv.jpg", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.077] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GzjhebongZebv.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gzjhebongzebv.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.077] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=88390) returned 1 [0107.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.077] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.077] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0107.077] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.079] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.080] GetTickCount () returned 0x115be6a [0107.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0107.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0107.080] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15946, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.080] SetLastError (dwErrCode=0x0) [0107.080] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.081] GetLastError () returned 0x0 [0107.081] GetLastError () returned 0x0 [0107.081] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15a46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.081] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.081] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15b46, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.081] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3acfdd1f, dwHighDateTime=0x1d5f971)) [0107.081] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.081] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.081] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.081] GetProcessHeap () returned 0xbc0000 [0107.081] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15946) returned 0xbf2638 [0107.082] GetSystemDefaultLangID () returned 0xbd0409 [0107.082] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.082] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x15946, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x15946, lpOverlapped=0x0) returned 1 [0107.089] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.089] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x15946, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x15946, lpOverlapped=0x0) returned 1 [0107.089] GetProcessHeap () returned 0xbc0000 [0107.089] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.089] CloseHandle (hObject=0x270) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.090] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GzjhebongZebv.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gzjhebongzebv.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\GzjhebongZebv.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\gzjhebongzebv.jpg.nefilim")) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.090] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb6d6dec0, ftCreationTime.dwHighDateTime=0x1d5ea61, ftLastAccessTime.dwLowDateTime=0x2b6a6f70, ftLastAccessTime.dwHighDateTime=0x1d5f03b, ftLastWriteTime.dwLowDateTime=0x2b6a6f70, ftLastWriteTime.dwHighDateTime=0x1d5f03b, nFileSizeHigh=0x0, nFileSizeLow=0x12238, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="hgWSyFJUy.png", cAlternateFileName="HGWSYF~1.PNG")) returned 1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2=".") returned 1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="..") returned 1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="...") returned 1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="windows") returned -1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="$RECYCLE.BIN") returned 1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="rsa") returned -1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="NTDETECT.COM") returned -1 [0107.090] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="ntldr") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="MSDOS.SYS") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="IO.SYS") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="boot.ini") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="ntuser.dat") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="desktop.ini") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="CONFIG.SYS") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="RECYCLER") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="BOOTSECT.BAK") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="bootmgr") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="programdata") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="appdata") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="program files") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="program files (x86)") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="microsoft") returned -1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="sophos") returned -1 [0107.091] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.091] PathFindExtensionW (pszPath="hgWSyFJUy.png") returned=".png" [0107.091] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.091] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.091] lstrcmpiW (lpString1="hgWSyFJUy.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.092] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\hgWSyFJUy.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hgwsyfjuy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.092] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=74296) returned 1 [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.092] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.092] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0107.092] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.092] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.092] GetTickCount () returned 0x115be7a [0107.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0107.092] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0107.092] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12238, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.092] SetLastError (dwErrCode=0x0) [0107.092] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.093] GetLastError () returned 0x0 [0107.093] GetLastError () returned 0x0 [0107.093] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12338, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.093] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.094] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12438, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.094] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ad240f9, dwHighDateTime=0x1d5f971)) [0107.094] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.094] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.094] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.094] GetProcessHeap () returned 0xbc0000 [0107.094] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12238) returned 0xbf2638 [0107.094] GetSystemDefaultLangID () returned 0xbd0409 [0107.094] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.094] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x12238, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x12238, lpOverlapped=0x0) returned 1 [0107.097] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.097] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x12238, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x12238, lpOverlapped=0x0) returned 1 [0107.099] GetProcessHeap () returned 0xbc0000 [0107.099] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.100] CloseHandle (hObject=0x270) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.100] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.100] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\hgWSyFJUy.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hgwsyfjuy.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\hgWSyFJUy.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hgwsyfjuy.png.nefilim")) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.100] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.100] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf49b4260, ftCreationTime.dwHighDateTime=0x1d5ee39, ftLastAccessTime.dwLowDateTime=0x1163a20, ftLastAccessTime.dwHighDateTime=0x1d5e95a, ftLastWriteTime.dwLowDateTime=0x1163a20, ftLastWriteTime.dwHighDateTime=0x1d5e95a, nFileSizeHigh=0x0, nFileSizeLow=0x16de4, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="HqrJ4Bvzzlru qE2yiJ.gif", cAlternateFileName="HQRJ4B~1.GIF")) returned 1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2=".") returned 1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="..") returned 1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="...") returned 1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="windows") returned -1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="$RECYCLE.BIN") returned 1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="rsa") returned -1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="NTDETECT.COM") returned -1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="ntldr") returned -1 [0107.100] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="MSDOS.SYS") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="IO.SYS") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="boot.ini") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="AUTOEXEC.BAT") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="ntuser.dat") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="desktop.ini") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="CONFIG.SYS") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="RECYCLER") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="BOOTSECT.BAK") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="bootmgr") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="programdata") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="appdata") returned 1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="program files") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="program files (x86)") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="microsoft") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="sophos") returned -1 [0107.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.101] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.101] PathFindExtensionW (pszPath="HqrJ4Bvzzlru qE2yiJ.gif") returned=".gif" [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0107.101] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0107.101] lstrcmpiW (lpString1="HqrJ4Bvzzlru qE2yiJ.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.101] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\HqrJ4Bvzzlru qE2yiJ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hqrj4bvzzlru qe2yij.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.102] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=93668) returned 1 [0107.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.102] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.102] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0107.102] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.102] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.104] GetTickCount () returned 0x115be8a [0107.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0107.104] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0107.104] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16de4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.104] SetLastError (dwErrCode=0x0) [0107.104] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.105] GetLastError () returned 0x0 [0107.105] GetLastError () returned 0x0 [0107.105] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16ee4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.105] WriteFile (in: hFile=0x270, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.105] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16fe4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.105] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ad4a353, dwHighDateTime=0x1d5f971)) [0107.105] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680540 [0107.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680540 | out: hHeap=0x2680000) returned 1 [0107.105] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.105] GetProcessHeap () returned 0xbc0000 [0107.105] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16de4) returned 0xbf2638 [0107.106] GetSystemDefaultLangID () returned 0xbd0409 [0107.106] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.106] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x16de4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x16de4, lpOverlapped=0x0) returned 1 [0107.111] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.112] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x16de4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x16de4, lpOverlapped=0x0) returned 1 [0107.112] GetProcessHeap () returned 0xbc0000 [0107.112] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.112] CloseHandle (hObject=0x270) returned 1 [0107.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0107.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0107.112] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\HqrJ4Bvzzlru qE2yiJ.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hqrj4bvzzlru qe2yij.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\HqrJ4Bvzzlru qE2yiJ.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\hqrj4bvzzlru qe2yij.gif.nefilim")) returned 1 [0107.113] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0107.113] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.113] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c472330, ftCreationTime.dwHighDateTime=0x1d5e1d6, ftLastAccessTime.dwLowDateTime=0x3b520ea0, ftLastAccessTime.dwHighDateTime=0x1d5e17e, ftLastWriteTime.dwLowDateTime=0x3b520ea0, ftLastWriteTime.dwHighDateTime=0x1d5e17e, nFileSizeHigh=0x0, nFileSizeLow=0xd28a, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="J-3j2Gy5bV9ZiHzy.png", cAlternateFileName="J-3J2G~1.PNG")) returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2=".") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="..") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="...") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="windows") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="$RECYCLE.BIN") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="rsa") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="NTDETECT.COM") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="ntldr") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="MSDOS.SYS") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="IO.SYS") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="boot.ini") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="ntuser.dat") returned -1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="desktop.ini") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="CONFIG.SYS") returned 1 [0107.113] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="RECYCLER") returned -1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="BOOTSECT.BAK") returned 1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="bootmgr") returned 1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="programdata") returned -1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="appdata") returned 1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="program files") returned -1 [0107.169] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="program files (x86)") returned -1 [0107.170] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="microsoft") returned -1 [0107.170] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="sophos") returned -1 [0107.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.170] PathFindExtensionW (pszPath="J-3j2Gy5bV9ZiHzy.png") returned=".png" [0107.170] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.170] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.170] lstrcmpiW (lpString1="J-3j2Gy5bV9ZiHzy.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.170] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\J-3j2Gy5bV9ZiHzy.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\j-3j2gy5bv9zihzy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.170] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=53898) returned 1 [0107.171] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.171] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.171] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.171] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.171] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.171] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0107.171] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.172] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.174] GetTickCount () returned 0x115bec8 [0107.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0107.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0107.174] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd28a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.174] SetLastError (dwErrCode=0x0) [0107.174] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.175] GetLastError () returned 0x0 [0107.175] GetLastError () returned 0x0 [0107.175] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd38a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.175] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.175] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd48a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.175] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ade2a75, dwHighDateTime=0x1d5f971)) [0107.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.175] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.175] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.175] GetProcessHeap () returned 0xbc0000 [0107.175] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd28a) returned 0xbf2638 [0107.175] GetSystemDefaultLangID () returned 0xbd0409 [0107.175] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.175] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xd28a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xd28a, lpOverlapped=0x0) returned 1 [0107.178] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.179] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xd28a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xd28a, lpOverlapped=0x0) returned 1 [0107.179] GetProcessHeap () returned 0xbc0000 [0107.179] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.179] CloseHandle (hObject=0x270) returned 1 [0107.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0107.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.179] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\J-3j2Gy5bV9ZiHzy.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\j-3j2gy5bv9zihzy.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\J-3j2Gy5bV9ZiHzy.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\j-3j2gy5bv9zihzy.png.nefilim")) returned 1 [0107.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.180] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbee6e530, ftCreationTime.dwHighDateTime=0x1d5ed2a, ftLastAccessTime.dwLowDateTime=0x739683d0, ftLastAccessTime.dwHighDateTime=0x1d5ec15, ftLastWriteTime.dwLowDateTime=0x739683d0, ftLastWriteTime.dwHighDateTime=0x1d5ec15, nFileSizeHigh=0x0, nFileSizeLow=0xda7d, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="nDGDkf3rv9eCPSTotz.bmp", cAlternateFileName="NDGDKF~1.BMP")) returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2=".") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="..") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="...") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="windows") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="$RECYCLE.BIN") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="rsa") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="NTDETECT.COM") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="ntldr") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="MSDOS.SYS") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="IO.SYS") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="boot.ini") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="ntuser.dat") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="desktop.ini") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="CONFIG.SYS") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="RECYCLER") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="BOOTSECT.BAK") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="bootmgr") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="programdata") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="appdata") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="program files") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="program files (x86)") returned -1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="microsoft") returned 1 [0107.180] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="sophos") returned -1 [0107.180] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0107.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.180] PathFindExtensionW (pszPath="nDGDkf3rv9eCPSTotz.bmp") returned=".bmp" [0107.180] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0107.180] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0107.181] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0107.181] lstrcmpiW (lpString1="nDGDkf3rv9eCPSTotz.bmp", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.181] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\nDGDkf3rv9eCPSTotz.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ndgdkf3rv9ecpstotz.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.181] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=55933) returned 1 [0107.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.181] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.181] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0107.181] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.182] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.182] GetTickCount () returned 0x115bed8 [0107.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0107.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0107.182] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xda7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.182] SetLastError (dwErrCode=0x0) [0107.182] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.183] GetLastError () returned 0x0 [0107.183] GetLastError () returned 0x0 [0107.183] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xdb7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.183] WriteFile (in: hFile=0x270, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.183] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xdc7d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.183] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ae08cbd, dwHighDateTime=0x1d5f971)) [0107.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0107.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0107.183] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.183] GetProcessHeap () returned 0xbc0000 [0107.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xda7d) returned 0xbf2638 [0107.183] GetSystemDefaultLangID () returned 0xbd0409 [0107.183] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.183] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xda7d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xda7d, lpOverlapped=0x0) returned 1 [0107.186] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.186] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xda7d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xda7d, lpOverlapped=0x0) returned 1 [0107.186] GetProcessHeap () returned 0xbc0000 [0107.186] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.186] CloseHandle (hObject=0x270) returned 1 [0107.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0107.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0107.187] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\nDGDkf3rv9eCPSTotz.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ndgdkf3rv9ecpstotz.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\nDGDkf3rv9eCPSTotz.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\ndgdkf3rv9ecpstotz.bmp.nefilim")) returned 1 [0107.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0107.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.188] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa49aeff0, ftCreationTime.dwHighDateTime=0x1d5e2d0, ftLastAccessTime.dwLowDateTime=0xebd6b6c0, ftLastAccessTime.dwHighDateTime=0x1d5ec25, ftLastWriteTime.dwLowDateTime=0xebd6b6c0, ftLastWriteTime.dwHighDateTime=0x1d5ec25, nFileSizeHigh=0x0, nFileSizeLow=0x7da1, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="pwrpca2SHC89hNUHUgR.bmp", cAlternateFileName="PWRPCA~1.BMP")) returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2=".") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="..") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="...") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="windows") returned -1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="$RECYCLE.BIN") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="rsa") returned -1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="NTDETECT.COM") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="ntldr") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="MSDOS.SYS") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="IO.SYS") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="boot.ini") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="ntuser.dat") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="desktop.ini") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="CONFIG.SYS") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="RECYCLER") returned -1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="BOOTSECT.BAK") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="bootmgr") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="programdata") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="appdata") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="program files") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="program files (x86)") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="microsoft") returned 1 [0107.188] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="sophos") returned -1 [0107.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.188] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.188] PathFindExtensionW (pszPath="pwrpca2SHC89hNUHUgR.bmp") returned=".bmp" [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0107.189] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0107.189] lstrcmpiW (lpString1="pwrpca2SHC89hNUHUgR.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.189] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\pwrpca2SHC89hNUHUgR.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pwrpca2shc89hnuhugr.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.189] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=32161) returned 1 [0107.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.189] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.189] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0107.189] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.190] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.190] GetTickCount () returned 0x115bed8 [0107.190] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0107.190] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0107.190] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7da1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.190] SetLastError (dwErrCode=0x0) [0107.190] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.191] GetLastError () returned 0x0 [0107.191] GetLastError () returned 0x0 [0107.191] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7ea1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.191] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.192] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7fa1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.192] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ae2ee4e, dwHighDateTime=0x1d5f971)) [0107.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680540 [0107.192] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680540 | out: hHeap=0x2680000) returned 1 [0107.192] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.192] GetProcessHeap () returned 0xbc0000 [0107.192] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7da1) returned 0xbf2638 [0107.192] GetSystemDefaultLangID () returned 0xbd0409 [0107.192] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.192] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x7da1, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x7da1, lpOverlapped=0x0) returned 1 [0107.193] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.193] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x7da1, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x7da1, lpOverlapped=0x0) returned 1 [0107.194] GetProcessHeap () returned 0xbc0000 [0107.194] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.195] CloseHandle (hObject=0x270) returned 1 [0107.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0107.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.195] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.195] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0107.195] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\pwrpca2SHC89hNUHUgR.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pwrpca2shc89hnuhugr.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\pwrpca2SHC89hNUHUgR.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pwrpca2shc89hnuhugr.bmp.nefilim")) returned 1 [0107.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0107.196] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.196] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36fde230, ftCreationTime.dwHighDateTime=0x1d5e6cd, ftLastAccessTime.dwLowDateTime=0xaede5a90, ftLastAccessTime.dwHighDateTime=0x1d5ec0f, ftLastWriteTime.dwLowDateTime=0xaede5a90, ftLastWriteTime.dwHighDateTime=0x1d5ec0f, nFileSizeHigh=0x0, nFileSizeLow=0x15006, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="PYrRBa1NtQgUe.png", cAlternateFileName="PYRRBA~1.PNG")) returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2=".") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="..") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="...") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="windows") returned -1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="$RECYCLE.BIN") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="rsa") returned -1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="NTDETECT.COM") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="ntldr") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="MSDOS.SYS") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="IO.SYS") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="boot.ini") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="ntuser.dat") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="desktop.ini") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="CONFIG.SYS") returned 1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="RECYCLER") returned -1 [0107.196] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="BOOTSECT.BAK") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="bootmgr") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="programdata") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="appdata") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="program files") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="program files (x86)") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="microsoft") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="sophos") returned -1 [0107.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.197] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.197] PathFindExtensionW (pszPath="PYrRBa1NtQgUe.png") returned=".png" [0107.197] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.197] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.197] lstrcmpiW (lpString1="PYrRBa1NtQgUe.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.197] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\PYrRBa1NtQgUe.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pyrrba1ntqgue.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.197] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=86022) returned 1 [0107.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.198] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.198] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.198] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.198] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0107.198] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.199] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.199] GetTickCount () returned 0x115bee7 [0107.199] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0107.199] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0107.200] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15006, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.200] SetLastError (dwErrCode=0x0) [0107.200] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.200] GetLastError () returned 0x0 [0107.200] GetLastError () returned 0x0 [0107.200] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15106, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.200] WriteFile (in: hFile=0x270, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.201] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x15206, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.201] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ae2ee4e, dwHighDateTime=0x1d5f971)) [0107.201] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.201] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.201] GetProcessHeap () returned 0xbc0000 [0107.201] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15006) returned 0xbf2638 [0107.201] GetSystemDefaultLangID () returned 0xbd0409 [0107.201] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.201] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x15006, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x15006, lpOverlapped=0x0) returned 1 [0107.206] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.206] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x15006, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x15006, lpOverlapped=0x0) returned 1 [0107.206] GetProcessHeap () returned 0xbc0000 [0107.206] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.206] CloseHandle (hObject=0x270) returned 1 [0107.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0107.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.206] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\PYrRBa1NtQgUe.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pyrrba1ntqgue.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\PYrRBa1NtQgUe.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\pyrrba1ntqgue.png.nefilim")) returned 1 [0107.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.207] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x11bf430, ftCreationTime.dwHighDateTime=0x1d5eb83, ftLastAccessTime.dwLowDateTime=0xa6066ce0, ftLastAccessTime.dwHighDateTime=0x1d5e43b, ftLastWriteTime.dwLowDateTime=0xa6066ce0, ftLastWriteTime.dwHighDateTime=0x1d5e43b, nFileSizeHigh=0x0, nFileSizeLow=0x7607, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="QDaV895eqT.bmp", cAlternateFileName="QDAV89~1.BMP")) returned 1 [0107.207] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2=".") returned 1 [0107.253] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="..") returned 1 [0107.253] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="...") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="windows") returned -1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="$RECYCLE.BIN") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="rsa") returned -1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="NTDETECT.COM") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="ntldr") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="MSDOS.SYS") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="IO.SYS") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="boot.ini") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="ntuser.dat") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="desktop.ini") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="CONFIG.SYS") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="RECYCLER") returned -1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="BOOTSECT.BAK") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="bootmgr") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="programdata") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="appdata") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="program files") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="program files (x86)") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="microsoft") returned 1 [0107.254] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="sophos") returned -1 [0107.254] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.254] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.255] PathFindExtensionW (pszPath="QDaV895eqT.bmp") returned=".bmp" [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0107.255] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0107.255] lstrcmpiW (lpString1="QDaV895eqT.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.255] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\QDaV895eqT.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\qdav895eqt.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.255] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=30215) returned 1 [0107.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.255] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.255] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.256] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.256] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0107.256] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.256] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.257] GetTickCount () returned 0x115bf26 [0107.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.257] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7607, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.257] SetLastError (dwErrCode=0x0) [0107.257] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.258] GetLastError () returned 0x0 [0107.258] GetLastError () returned 0x0 [0107.258] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7707, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.258] WriteFile (in: hFile=0x270, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.258] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7807, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.259] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aec77fd, dwHighDateTime=0x1d5f971)) [0107.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.259] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.259] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.259] GetProcessHeap () returned 0xbc0000 [0107.259] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7607) returned 0xbf2638 [0107.260] GetSystemDefaultLangID () returned 0xbd0409 [0107.260] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.260] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x7607, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x7607, lpOverlapped=0x0) returned 1 [0107.262] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.262] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x7607, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x7607, lpOverlapped=0x0) returned 1 [0107.262] GetProcessHeap () returned 0xbc0000 [0107.262] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.262] CloseHandle (hObject=0x270) returned 1 [0107.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0107.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.262] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.262] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\QDaV895eqT.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\qdav895eqt.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\QDaV895eqT.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\qdav895eqt.bmp.nefilim")) returned 1 [0107.349] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.349] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.349] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x13f1de50, ftCreationTime.dwHighDateTime=0x1d5efcd, ftLastAccessTime.dwLowDateTime=0xe5d6d280, ftLastAccessTime.dwHighDateTime=0x1d5ed08, ftLastWriteTime.dwLowDateTime=0xe5d6d280, ftLastWriteTime.dwHighDateTime=0x1d5ed08, nFileSizeHigh=0x0, nFileSizeLow=0xd4f9, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="V5V1hy.gif", cAlternateFileName="")) returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2=".") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="..") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="...") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="windows") returned -1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="$RECYCLE.BIN") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="rsa") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="NTDETECT.COM") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="ntldr") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="MSDOS.SYS") returned 1 [0107.349] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="IO.SYS") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="boot.ini") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="AUTOEXEC.BAT") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="ntuser.dat") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="desktop.ini") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="CONFIG.SYS") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="RECYCLER") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="BOOTSECT.BAK") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="bootmgr") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="programdata") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="appdata") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="program files") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="program files (x86)") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="microsoft") returned 1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="sophos") returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0107.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.350] PathFindExtensionW (pszPath="V5V1hy.gif") returned=".gif" [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0107.350] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0107.350] lstrcmpiW (lpString1="V5V1hy.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0107.350] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\V5V1hy.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\v5v1hy.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.351] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=54521) returned 1 [0107.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.351] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.351] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0107.351] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.351] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.351] GetTickCount () returned 0x115bf84 [0107.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0107.351] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0107.351] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd4f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.352] SetLastError (dwErrCode=0x0) [0107.352] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.352] GetLastError () returned 0x0 [0107.352] GetLastError () returned 0x0 [0107.352] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd5f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.352] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.353] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd6f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.353] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3afac717, dwHighDateTime=0x1d5f971)) [0107.353] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0107.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0107.353] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.353] GetProcessHeap () returned 0xbc0000 [0107.353] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd4f9) returned 0xbf2638 [0107.353] GetSystemDefaultLangID () returned 0xbd0409 [0107.353] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.353] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xd4f9, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xd4f9, lpOverlapped=0x0) returned 1 [0107.356] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.356] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xd4f9, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xd4f9, lpOverlapped=0x0) returned 1 [0107.356] GetProcessHeap () returned 0xbc0000 [0107.356] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.357] CloseHandle (hObject=0x270) returned 1 [0107.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0107.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.357] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0107.358] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\V5V1hy.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\v5v1hy.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\V5V1hy.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\v5v1hy.gif.nefilim")) returned 1 [0107.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0107.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0107.358] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x189fe460, ftCreationTime.dwHighDateTime=0x1d5e5b9, ftLastAccessTime.dwLowDateTime=0x939ee7b0, ftLastAccessTime.dwHighDateTime=0x1d5e712, ftLastWriteTime.dwLowDateTime=0x939ee7b0, ftLastWriteTime.dwHighDateTime=0x1d5e712, nFileSizeHigh=0x0, nFileSizeLow=0x11c84, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="vr-78fRbdEcD9brqkuY.png", cAlternateFileName="VR-78F~1.PNG")) returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2=".") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="..") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="...") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="windows") returned -1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="$RECYCLE.BIN") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="rsa") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="NTDETECT.COM") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="ntldr") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="MSDOS.SYS") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="IO.SYS") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="boot.ini") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="ntuser.dat") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="desktop.ini") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="CONFIG.SYS") returned 1 [0107.358] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="RECYCLER") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="BOOTSECT.BAK") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="bootmgr") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="programdata") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="appdata") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="program files") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="program files (x86)") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="microsoft") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="sophos") returned 1 [0107.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bdf8 [0107.359] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.359] PathFindExtensionW (pszPath="vr-78fRbdEcD9brqkuY.png") returned=".png" [0107.359] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.359] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.359] lstrcmpiW (lpString1="vr-78fRbdEcD9brqkuY.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.359] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\vr-78fRbdEcD9brqkuY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\vr-78frbdecd9brqkuy.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.359] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=72836) returned 1 [0107.359] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.360] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.360] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0107.360] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.362] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.364] GetTickCount () returned 0x115bf93 [0107.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0107.364] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0107.364] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11c84, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.364] SetLastError (dwErrCode=0x0) [0107.364] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.365] GetLastError () returned 0x0 [0107.365] GetLastError () returned 0x0 [0107.365] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11d84, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.365] WriteFile (in: hFile=0x270, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.365] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x11e84, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.365] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3afd296a, dwHighDateTime=0x1d5f971)) [0107.365] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0107.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0107.365] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.365] GetProcessHeap () returned 0xbc0000 [0107.365] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11c84) returned 0xbf2638 [0107.365] GetSystemDefaultLangID () returned 0xbd0409 [0107.365] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.365] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x11c84, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x11c84, lpOverlapped=0x0) returned 1 [0107.369] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.369] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x11c84, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x11c84, lpOverlapped=0x0) returned 1 [0107.370] GetProcessHeap () returned 0xbc0000 [0107.370] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.370] CloseHandle (hObject=0x270) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.370] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e800 [0107.370] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\vr-78fRbdEcD9brqkuY.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\vr-78frbdecd9brqkuy.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\vr-78fRbdEcD9brqkuY.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\vr-78frbdecd9brqkuy.png.nefilim")) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e800 | out: hHeap=0x2680000) returned 1 [0107.370] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.370] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ac3e5b0, ftCreationTime.dwHighDateTime=0x1d5e929, ftLastAccessTime.dwLowDateTime=0x21caf120, ftLastAccessTime.dwHighDateTime=0x1d5eb8a, ftLastWriteTime.dwLowDateTime=0x21caf120, ftLastWriteTime.dwHighDateTime=0x1d5eb8a, nFileSizeHigh=0x0, nFileSizeLow=0x82f0, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="wwd6tmEnCnQD8LbC1BGn.gif", cAlternateFileName="WWD6TM~1.GIF")) returned 1 [0107.370] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2=".") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="..") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="...") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="windows") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="$RECYCLE.BIN") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="rsa") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="NTDETECT.COM") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="ntldr") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="MSDOS.SYS") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="IO.SYS") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="boot.ini") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="AUTOEXEC.BAT") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="ntuser.dat") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="desktop.ini") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="CONFIG.SYS") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="RECYCLER") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="BOOTSECT.BAK") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="bootmgr") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="programdata") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="appdata") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="program files") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="program files (x86)") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="microsoft") returned 1 [0107.371] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="sophos") returned 1 [0107.371] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0107.371] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0107.371] PathFindExtensionW (pszPath="wwd6tmEnCnQD8LbC1BGn.gif") returned=".gif" [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0107.371] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0107.372] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0107.372] lstrcmpiW (lpString1="wwd6tmEnCnQD8LbC1BGn.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.372] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\wwd6tmEnCnQD8LbC1BGn.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\wwd6tmencnqd8lbc1bgn.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.372] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=33520) returned 1 [0107.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.372] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.372] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0107.372] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.372] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.373] GetTickCount () returned 0x115bf93 [0107.373] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0107.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0107.373] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x82f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.373] SetLastError (dwErrCode=0x0) [0107.373] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.374] GetLastError () returned 0x0 [0107.374] GetLastError () returned 0x0 [0107.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x83f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.374] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x84f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.374] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3afd296a, dwHighDateTime=0x1d5f971)) [0107.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2680540 [0107.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680540 | out: hHeap=0x2680000) returned 1 [0107.374] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.374] GetProcessHeap () returned 0xbc0000 [0107.374] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x82f0) returned 0xbf2638 [0107.374] GetSystemDefaultLangID () returned 0xbd0409 [0107.374] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.374] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x82f0, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x82f0, lpOverlapped=0x0) returned 1 [0107.376] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.376] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x82f0, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x82f0, lpOverlapped=0x0) returned 1 [0107.376] GetProcessHeap () returned 0xbc0000 [0107.376] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.376] CloseHandle (hObject=0x270) returned 1 [0107.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0107.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.376] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.376] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0107.376] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\wwd6tmEnCnQD8LbC1BGn.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\wwd6tmencnqd8lbc1bgn.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\wwd6tmEnCnQD8LbC1BGn.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\wwd6tmencnqd8lbc1bgn.gif.nefilim")) returned 1 [0107.377] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0107.377] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.377] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x832e8af0, ftCreationTime.dwHighDateTime=0x1d5e480, ftLastAccessTime.dwLowDateTime=0x139faae0, ftLastAccessTime.dwHighDateTime=0x1d5eeb5, ftLastWriteTime.dwLowDateTime=0x139faae0, ftLastWriteTime.dwHighDateTime=0x1d5eeb5, nFileSizeHigh=0x0, nFileSizeLow=0xf81f, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="w_1pdU.bmp", cAlternateFileName="")) returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2=".") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="..") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="...") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="windows") returned -1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="$RECYCLE.BIN") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="rsa") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="NTDETECT.COM") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="ntldr") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="MSDOS.SYS") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="IO.SYS") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="boot.ini") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="ntuser.dat") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="desktop.ini") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="CONFIG.SYS") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="RECYCLER") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="BOOTSECT.BAK") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="bootmgr") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="programdata") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="appdata") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="program files") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="program files (x86)") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="microsoft") returned 1 [0107.377] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="sophos") returned 1 [0107.377] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680540 [0107.377] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.377] PathFindExtensionW (pszPath="w_1pdU.bmp") returned=".bmp" [0107.377] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0107.377] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0107.377] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0107.378] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0107.378] lstrcmpiW (lpString1="w_1pdU.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.378] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\w_1pdU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\w_1pdu.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.378] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=63519) returned 1 [0107.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.378] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.378] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.378] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0107.378] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.379] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.379] GetTickCount () returned 0x115bfa3 [0107.379] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0107.379] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0107.379] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf81f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.379] SetLastError (dwErrCode=0x0) [0107.379] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.380] GetLastError () returned 0x0 [0107.380] GetLastError () returned 0x0 [0107.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf91f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.380] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfa1f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aff8ba2, dwHighDateTime=0x1d5f971)) [0107.380] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0107.380] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.380] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.380] GetProcessHeap () returned 0xbc0000 [0107.380] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf81f) returned 0xbf2638 [0107.380] GetSystemDefaultLangID () returned 0xbd0409 [0107.380] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.381] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xf81f, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xf81f, lpOverlapped=0x0) returned 1 [0107.384] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.384] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xf81f, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xf81f, lpOverlapped=0x0) returned 1 [0107.384] GetProcessHeap () returned 0xbc0000 [0107.384] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.385] CloseHandle (hObject=0x270) returned 1 [0107.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0107.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.385] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.385] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.385] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\w_1pdU.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\w_1pdu.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\w_1pdU.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\w_1pdu.bmp.nefilim")) returned 1 [0107.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.386] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.386] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9f1fd50, ftCreationTime.dwHighDateTime=0x1d5e2c6, ftLastAccessTime.dwLowDateTime=0x1ff88590, ftLastAccessTime.dwHighDateTime=0x1d5e76d, ftLastWriteTime.dwLowDateTime=0x1ff88590, ftLastWriteTime.dwHighDateTime=0x1d5e76d, nFileSizeHigh=0x0, nFileSizeLow=0xa25b, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="ZYS9AcCViMFrQs.jpg", cAlternateFileName="ZYS9AC~1.JPG")) returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2=".") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="..") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="...") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="windows") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="$RECYCLE.BIN") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="rsa") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="NTDETECT.COM") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="ntldr") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="MSDOS.SYS") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="IO.SYS") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="boot.ini") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="ntuser.dat") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="desktop.ini") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="CONFIG.SYS") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="RECYCLER") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="BOOTSECT.BAK") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="bootmgr") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="programdata") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="appdata") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="program files") returned 1 [0107.386] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="program files (x86)") returned 1 [0107.387] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="microsoft") returned 1 [0107.387] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="sophos") returned 1 [0107.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0107.387] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680540 | out: hHeap=0x2680000) returned 1 [0107.387] PathFindExtensionW (pszPath="ZYS9AcCViMFrQs.jpg") returned=".jpg" [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0107.387] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0107.387] lstrcmpiW (lpString1="ZYS9AcCViMFrQs.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0107.387] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\ZYS9AcCViMFrQs.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\zys9accvimfrqs.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.387] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=41563) returned 1 [0107.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.387] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.387] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.387] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.388] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d29c0 [0107.388] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.390] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d29c0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d29c0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.392] GetTickCount () returned 0x115bfa3 [0107.392] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0107.392] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0107.392] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa25b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.392] SetLastError (dwErrCode=0x0) [0107.392] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.393] GetLastError () returned 0x0 [0107.393] GetLastError () returned 0x0 [0107.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa35b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.393] WriteFile (in: hFile=0x270, lpBuffer=0x29d29c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d29c0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xa45b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.393] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3aff8ba2, dwHighDateTime=0x1d5f971)) [0107.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0107.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.393] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.393] GetProcessHeap () returned 0xbc0000 [0107.393] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa25b) returned 0xbf2638 [0107.393] GetSystemDefaultLangID () returned 0xbd0409 [0107.393] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.393] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xa25b, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xa25b, lpOverlapped=0x0) returned 1 [0107.496] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.496] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xa25b, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xa25b, lpOverlapped=0x0) returned 1 [0107.497] GetProcessHeap () returned 0xbc0000 [0107.497] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.497] CloseHandle (hObject=0x270) returned 1 [0107.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d29c0 | out: hHeap=0x2680000) returned 1 [0107.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.497] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.497] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\ZYS9AcCViMFrQs.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\zys9accvimfrqs.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\ZYS9AcCViMFrQs.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\zys9accvimfrqs.jpg.nefilim")) returned 1 [0107.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0107.498] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b6347f0, ftCreationTime.dwHighDateTime=0x1d5efe3, ftLastAccessTime.dwLowDateTime=0xa7192290, ftLastAccessTime.dwHighDateTime=0x1d5e8b3, ftLastWriteTime.dwLowDateTime=0xa7192290, ftLastWriteTime.dwHighDateTime=0x1d5e8b3, nFileSizeHigh=0x0, nFileSizeLow=0x31af, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="_ricrdBjzl.png", cAlternateFileName="_RICRD~1.PNG")) returned 1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2=".") returned 1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="..") returned 1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="...") returned 1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="windows") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="$RECYCLE.BIN") returned 1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="rsa") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="NTDETECT.COM") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="ntldr") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="MSDOS.SYS") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="IO.SYS") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="boot.ini") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="AUTOEXEC.BAT") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="ntuser.dat") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="desktop.ini") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="CONFIG.SYS") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="RECYCLER") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="BOOTSECT.BAK") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="bootmgr") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="programdata") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="appdata") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="program files") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="program files (x86)") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="microsoft") returned -1 [0107.498] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="sophos") returned -1 [0107.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0107.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.498] PathFindExtensionW (pszPath="_ricrdBjzl.png") returned=".png" [0107.498] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.498] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.498] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.499] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.499] lstrcmpiW (lpString1="_ricrdBjzl.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0107.499] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\_ricrdBjzl.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\_ricrdbjzl.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.499] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=12719) returned 1 [0107.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.499] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.499] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.499] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0107.499] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.500] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.500] GetTickCount () returned 0x115c010 [0107.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0107.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0107.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x31af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.500] SetLastError (dwErrCode=0x0) [0107.500] WriteFile (in: hFile=0x270, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.501] GetLastError () returned 0x0 [0107.501] GetLastError () returned 0x0 [0107.501] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x32af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.501] WriteFile (in: hFile=0x270, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.501] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x33af, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.501] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b103e21, dwHighDateTime=0x1d5f971)) [0107.501] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0107.501] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.501] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.501] GetProcessHeap () returned 0xbc0000 [0107.501] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x31af) returned 0xbf2638 [0107.501] GetSystemDefaultLangID () returned 0xbd0409 [0107.501] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.501] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x31af, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x31af, lpOverlapped=0x0) returned 1 [0107.502] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.502] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x31af, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x31af, lpOverlapped=0x0) returned 1 [0107.502] GetProcessHeap () returned 0xbc0000 [0107.502] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.502] CloseHandle (hObject=0x270) returned 1 [0107.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0107.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.502] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.502] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.502] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\_ricrdBjzl.png" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\_ricrdbjzl.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\NuVIUAELS\\_ricrdBjzl.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\nuviuaels\\_ricrdbjzl.png.nefilim")) returned 1 [0107.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.503] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4b6347f0, ftCreationTime.dwHighDateTime=0x1d5efe3, ftLastAccessTime.dwLowDateTime=0xa7192290, ftLastAccessTime.dwHighDateTime=0x1d5e8b3, ftLastWriteTime.dwLowDateTime=0xa7192290, ftLastWriteTime.dwHighDateTime=0x1d5e8b3, nFileSizeHigh=0x0, nFileSizeLow=0x31af, dwReserved0=0x268e2e8, dwReserved1=0x80, cFileName="_ricrdBjzl.png", cAlternateFileName="_RICRD~1.PNG")) returned 0 [0107.503] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0107.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0107.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0107.503] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0107.503] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2694e2c0, ftCreationTime.dwHighDateTime=0x1d5ee9f, ftLastAccessTime.dwLowDateTime=0x4a323800, ftLastAccessTime.dwHighDateTime=0x1d5e68d, ftLastWriteTime.dwLowDateTime=0x4a323800, ftLastWriteTime.dwHighDateTime=0x1d5e68d, nFileSizeHigh=0x0, nFileSizeLow=0x8202, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="P3qzmE.png", cAlternateFileName="")) returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2=".") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="..") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="...") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="windows") returned -1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="$RECYCLE.BIN") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="rsa") returned -1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="NTDETECT.COM") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="ntldr") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="MSDOS.SYS") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="IO.SYS") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="boot.ini") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="ntuser.dat") returned 1 [0107.503] lstrcmpiW (lpString1="P3qzmE.png", lpString2="desktop.ini") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="CONFIG.SYS") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="RECYCLER") returned -1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="BOOTSECT.BAK") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="bootmgr") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="programdata") returned -1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="appdata") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="program files") returned -1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="program files (x86)") returned -1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="microsoft") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="sophos") returned -1 [0107.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0107.504] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.504] PathFindExtensionW (pszPath="P3qzmE.png") returned=".png" [0107.504] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.504] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.504] lstrcmpiW (lpString1="P3qzmE.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.504] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0107.504] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\P3qzmE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\p3qzme.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.505] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=33282) returned 1 [0107.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.505] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.505] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0107.505] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.505] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.505] GetTickCount () returned 0x115c020 [0107.505] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0107.505] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0107.505] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8202, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.505] SetLastError (dwErrCode=0x0) [0107.505] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.506] GetLastError () returned 0x0 [0107.506] GetLastError () returned 0x0 [0107.506] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8302, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.506] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.506] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8402, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.506] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b129f52, dwHighDateTime=0x1d5f971)) [0107.506] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0107.506] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0107.506] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.507] GetProcessHeap () returned 0xbc0000 [0107.507] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8202) returned 0xbf1630 [0107.507] GetSystemDefaultLangID () returned 0xbd0409 [0107.507] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.507] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x8202, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x8202, lpOverlapped=0x0) returned 1 [0107.508] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.508] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x8202, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x8202, lpOverlapped=0x0) returned 1 [0107.509] GetProcessHeap () returned 0xbc0000 [0107.509] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.509] CloseHandle (hObject=0x26c) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.509] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\P3qzmE.png" (normalized: "c:\\users\\fd1hvy\\pictures\\p3qzme.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\P3qzmE.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\p3qzme.png.nefilim")) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.509] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x814aa100, ftCreationTime.dwHighDateTime=0x1d5f0bb, ftLastAccessTime.dwLowDateTime=0xc961b120, ftLastAccessTime.dwHighDateTime=0x1d5ec71, ftLastWriteTime.dwLowDateTime=0xc961b120, ftLastWriteTime.dwHighDateTime=0x1d5ec71, nFileSizeHigh=0x0, nFileSizeLow=0x1f25, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="RRCcEyzi kJep.png", cAlternateFileName="RRCCEY~1.PNG")) returned 1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2=".") returned 1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="..") returned 1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="...") returned 1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="windows") returned -1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="$RECYCLE.BIN") returned 1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="rsa") returned -1 [0107.509] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="NTDETECT.COM") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="ntldr") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="MSDOS.SYS") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="IO.SYS") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="boot.ini") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="ntuser.dat") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="desktop.ini") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="CONFIG.SYS") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="RECYCLER") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="BOOTSECT.BAK") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="bootmgr") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="programdata") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="appdata") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="program files") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="program files (x86)") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="microsoft") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="sophos") returned -1 [0107.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.510] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0107.510] PathFindExtensionW (pszPath="RRCcEyzi kJep.png") returned=".png" [0107.510] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.510] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.510] lstrcmpiW (lpString1="RRCcEyzi kJep.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0107.511] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\RRCcEyzi kJep.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rrcceyzi kjep.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.511] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=7973) returned 1 [0107.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.511] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.511] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0107.511] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.511] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.513] GetTickCount () returned 0x115c020 [0107.513] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0107.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0107.513] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1f25, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.513] SetLastError (dwErrCode=0x0) [0107.513] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.514] GetLastError () returned 0x0 [0107.514] GetLastError () returned 0x0 [0107.514] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2025, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.514] WriteFile (in: hFile=0x26c, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.514] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2125, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.514] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b129f52, dwHighDateTime=0x1d5f971)) [0107.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0107.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.514] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.514] GetProcessHeap () returned 0xbc0000 [0107.514] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1f25) returned 0xbf1630 [0107.515] GetSystemDefaultLangID () returned 0xbd0409 [0107.515] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.515] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1f25, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1f25, lpOverlapped=0x0) returned 1 [0107.516] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.516] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1f25, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1f25, lpOverlapped=0x0) returned 1 [0107.516] GetProcessHeap () returned 0xbc0000 [0107.516] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.516] CloseHandle (hObject=0x26c) returned 1 [0107.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0107.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e270 | out: hHeap=0x2680000) returned 1 [0107.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0107.516] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\RRCcEyzi kJep.png" (normalized: "c:\\users\\fd1hvy\\pictures\\rrcceyzi kjep.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\RRCcEyzi kJep.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\rrcceyzi kjep.png.nefilim")) returned 1 [0107.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0107.517] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="Saved Pictures", cAlternateFileName="SAVEDP~1")) returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2=".") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="..") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="...") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="windows") returned -1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="$RECYCLE.BIN") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="rsa") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="NTDETECT.COM") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="ntldr") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="MSDOS.SYS") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="IO.SYS") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="boot.ini") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="ntuser.dat") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="desktop.ini") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="CONFIG.SYS") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="RECYCLER") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="BOOTSECT.BAK") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="bootmgr") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="programdata") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="appdata") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="program files") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="program files (x86)") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="microsoft") returned 1 [0107.517] lstrcmpiW (lpString1="Saved Pictures", lpString2="sophos") returned -1 [0107.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0107.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x76) returned 0x268e2e8 [0107.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0107.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e368 [0107.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0107.517] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Pictures\\Saved Pictures\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680520, dwReserved1=0x29000029, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0107.518] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.518] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0xd45b4e37, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x2680520, dwReserved1=0x29000029, cFileName="..", cAlternateFileName="")) returned 1 [0107.518] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.518] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.518] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x2680520, dwReserved1=0x29000029, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0107.518] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0107.519] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0107.519] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0x51311410, ftCreationTime.dwHighDateTime=0x1d32715, ftLastAccessTime.dwLowDateTime=0x51311410, ftLastAccessTime.dwHighDateTime=0x1d32715, ftLastWriteTime.dwLowDateTime=0x51311410, ftLastWriteTime.dwHighDateTime=0x1d32715, nFileSizeHigh=0x0, nFileSizeLow=0xbe, dwReserved0=0x2680520, dwReserved1=0x29000029, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0107.519] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0107.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0107.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e368 | out: hHeap=0x2680000) returned 1 [0107.519] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x281aade0, ftCreationTime.dwHighDateTime=0x1d5eeeb, ftLastAccessTime.dwLowDateTime=0x9b78fdd0, ftLastAccessTime.dwHighDateTime=0x1d5e187, ftLastWriteTime.dwLowDateTime=0x9b78fdd0, ftLastWriteTime.dwHighDateTime=0x1d5e187, nFileSizeHigh=0x0, nFileSizeLow=0x185f5, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="UgZa.png", cAlternateFileName="")) returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2=".") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="..") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="...") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="windows") returned -1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="$RECYCLE.BIN") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="rsa") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="NTDETECT.COM") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="ntldr") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="MSDOS.SYS") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="IO.SYS") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="boot.ini") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="AUTOEXEC.BAT") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="ntuser.dat") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="desktop.ini") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="CONFIG.SYS") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="RECYCLER") returned 1 [0107.519] lstrcmpiW (lpString1="UgZa.png", lpString2="BOOTSECT.BAK") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="bootmgr") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="programdata") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="appdata") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="program files") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="program files (x86)") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="microsoft") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="sophos") returned 1 [0107.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e368 [0107.520] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.520] PathFindExtensionW (pszPath="UgZa.png") returned=".png" [0107.520] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0107.520] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0107.520] lstrcmpiW (lpString1="UgZa.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0107.520] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\UgZa.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ugza.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.520] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=99829) returned 1 [0107.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.520] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.520] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.521] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.521] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.521] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0107.521] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.521] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.521] GetTickCount () returned 0x115c02f [0107.521] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0107.521] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0107.521] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x185f5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.521] SetLastError (dwErrCode=0x0) [0107.521] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.522] GetLastError () returned 0x0 [0107.522] GetLastError () returned 0x0 [0107.522] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x186f5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.522] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.522] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x187f5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.522] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b150098, dwHighDateTime=0x1d5f971)) [0107.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.522] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.522] GetProcessHeap () returned 0xbc0000 [0107.523] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x185f5) returned 0xbf1630 [0107.523] GetSystemDefaultLangID () returned 0xbd0409 [0107.523] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.523] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x185f5, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x185f5, lpOverlapped=0x0) returned 1 [0107.528] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.528] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x185f5, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x185f5, lpOverlapped=0x0) returned 1 [0107.529] GetProcessHeap () returned 0xbc0000 [0107.529] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.529] CloseHandle (hObject=0x26c) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e288 | out: hHeap=0x2680000) returned 1 [0107.529] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.529] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\UgZa.png" (normalized: "c:\\users\\fd1hvy\\pictures\\ugza.png"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\UgZa.png.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\ugza.png.nefilim")) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.529] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f899c0, ftCreationTime.dwHighDateTime=0x1d5ec89, ftLastAccessTime.dwLowDateTime=0x682b6180, ftLastAccessTime.dwHighDateTime=0x1d5e749, ftLastWriteTime.dwLowDateTime=0x682b6180, ftLastWriteTime.dwHighDateTime=0x1d5e749, nFileSizeHigh=0x0, nFileSizeLow=0x110e7, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="WN-YxcbOGX.bmp", cAlternateFileName="WN-YXC~1.BMP")) returned 1 [0107.529] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2=".") returned 1 [0107.529] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="..") returned 1 [0107.529] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="...") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="windows") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="$RECYCLE.BIN") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="rsa") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="NTDETECT.COM") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="ntldr") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="MSDOS.SYS") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="IO.SYS") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="boot.ini") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="AUTOEXEC.BAT") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="ntuser.dat") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="desktop.ini") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="CONFIG.SYS") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="RECYCLER") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="BOOTSECT.BAK") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="bootmgr") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="programdata") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="appdata") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="program files") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="program files (x86)") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="microsoft") returned 1 [0107.530] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="sophos") returned 1 [0107.530] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0107.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e368 | out: hHeap=0x2680000) returned 1 [0107.530] PathFindExtensionW (pszPath="WN-YxcbOGX.bmp") returned=".bmp" [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".exe") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".log") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".cab") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".cmd") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".com") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".cpl") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".ini") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".dll") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".url") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".ttf") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".mp3") returned -1 [0107.530] lstrcmpiW (lpString1=".bmp", lpString2=".pif") returned -1 [0107.531] lstrcmpiW (lpString1=".bmp", lpString2=".mp4") returned -1 [0107.531] lstrcmpiW (lpString1=".bmp", lpString2=".NEFILIM") returned -1 [0107.531] lstrcmpiW (lpString1=".bmp", lpString2=".msi") returned -1 [0107.531] lstrcmpiW (lpString1=".bmp", lpString2=".lnk") returned -1 [0107.531] lstrcmpiW (lpString1="WN-YxcbOGX.bmp", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0107.531] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\WN-YxcbOGX.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\wn-yxcbogx.bmp"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.531] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=69863) returned 1 [0107.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.531] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.531] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0107.531] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.531] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.532] GetTickCount () returned 0x115c02f [0107.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.532] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.532] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x110e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.532] SetLastError (dwErrCode=0x0) [0107.532] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.532] GetLastError () returned 0x0 [0107.532] GetLastError () returned 0x0 [0107.532] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x111e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.533] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x112e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.533] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b150098, dwHighDateTime=0x1d5f971)) [0107.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e398 [0107.533] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0107.533] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.533] GetProcessHeap () returned 0xbc0000 [0107.533] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x110e7) returned 0xbf1630 [0107.533] GetSystemDefaultLangID () returned 0xbd0409 [0107.533] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.533] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x110e7, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x110e7, lpOverlapped=0x0) returned 1 [0107.604] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.604] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x110e7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x110e7, lpOverlapped=0x0) returned 1 [0107.605] GetProcessHeap () returned 0xbc0000 [0107.605] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.605] CloseHandle (hObject=0x26c) returned 1 [0107.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0107.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.605] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0107.605] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\WN-YxcbOGX.bmp" (normalized: "c:\\users\\fd1hvy\\pictures\\wn-yxcbogx.bmp"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\WN-YxcbOGX.bmp.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\wn-yxcbogx.bmp.nefilim")) returned 1 [0107.605] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0107.606] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3524be30, ftCreationTime.dwHighDateTime=0x1d5f009, ftLastAccessTime.dwLowDateTime=0x62f01cd0, ftLastAccessTime.dwHighDateTime=0x1d5f02f, ftLastWriteTime.dwLowDateTime=0x62f01cd0, ftLastWriteTime.dwHighDateTime=0x1d5f02f, nFileSizeHigh=0x0, nFileSizeLow=0x11ad4, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="wyOW6q3stEs0tR99UdnP.jpg", cAlternateFileName="WYOW6Q~1.JPG")) returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2=".") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="..") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="...") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="windows") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="$RECYCLE.BIN") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="rsa") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="NTDETECT.COM") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="ntldr") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="MSDOS.SYS") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="IO.SYS") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="boot.ini") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="AUTOEXEC.BAT") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="ntuser.dat") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="desktop.ini") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="CONFIG.SYS") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="RECYCLER") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="BOOTSECT.BAK") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="bootmgr") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="programdata") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="appdata") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="program files") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="program files (x86)") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="microsoft") returned 1 [0107.606] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="sophos") returned 1 [0107.606] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e340 [0107.606] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.606] PathFindExtensionW (pszPath="wyOW6q3stEs0tR99UdnP.jpg") returned=".jpg" [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".exe") returned 1 [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".log") returned -1 [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".cab") returned 1 [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".cmd") returned 1 [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".com") returned 1 [0107.606] lstrcmpiW (lpString1=".jpg", lpString2=".cpl") returned 1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".ini") returned 1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".dll") returned 1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".url") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".ttf") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".mp3") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".pif") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".mp4") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".NEFILIM") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".msi") returned -1 [0107.607] lstrcmpiW (lpString1=".jpg", lpString2=".lnk") returned -1 [0107.607] lstrcmpiW (lpString1="wyOW6q3stEs0tR99UdnP.jpg", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0107.607] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\wyOW6q3stEs0tR99UdnP.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\wyow6q3stes0tr99udnp.jpg"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.607] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=72404) returned 1 [0107.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.607] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.607] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.607] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0107.607] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.607] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.608] GetTickCount () returned 0x115c07e [0107.608] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0107.608] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0107.608] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11ad4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.608] SetLastError (dwErrCode=0x0) [0107.608] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.609] GetLastError () returned 0x0 [0107.609] GetLastError () returned 0x0 [0107.609] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11bd4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.609] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.609] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11cd4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.609] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b20ee53, dwHighDateTime=0x1d5f971)) [0107.609] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0107.609] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.609] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.609] GetProcessHeap () returned 0xbc0000 [0107.609] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11ad4) returned 0xbf1630 [0107.609] GetSystemDefaultLangID () returned 0xbd0409 [0107.609] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.609] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x11ad4, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x11ad4, lpOverlapped=0x0) returned 1 [0107.613] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.613] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x11ad4, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x11ad4, lpOverlapped=0x0) returned 1 [0107.613] GetProcessHeap () returned 0xbc0000 [0107.613] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.613] CloseHandle (hObject=0x26c) returned 1 [0107.613] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.613] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0107.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.688] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.688] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0107.688] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\wyOW6q3stEs0tR99UdnP.jpg" (normalized: "c:\\users\\fd1hvy\\pictures\\wyow6q3stes0tr99udnp.jpg"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\wyOW6q3stEs0tR99UdnP.jpg.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\wyow6q3stes0tr99udnp.jpg.nefilim")) returned 1 [0107.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.689] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.689] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x568ae2f0, ftCreationTime.dwHighDateTime=0x1d5e327, ftLastAccessTime.dwLowDateTime=0xfc99d700, ftLastAccessTime.dwHighDateTime=0x1d5edbd, ftLastWriteTime.dwLowDateTime=0xfc99d700, ftLastWriteTime.dwHighDateTime=0x1d5edbd, nFileSizeHigh=0x0, nFileSizeLow=0x10ff3, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="XJRV8whtuNcitbsheVtm.gif", cAlternateFileName="XJRV8W~1.GIF")) returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2=".") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="..") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="...") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="windows") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="$RECYCLE.BIN") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="rsa") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="NTDETECT.COM") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="ntldr") returned 1 [0107.689] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="MSDOS.SYS") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="IO.SYS") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="boot.ini") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="AUTOEXEC.BAT") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="ntuser.dat") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="desktop.ini") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="CONFIG.SYS") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="RECYCLER") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="BOOTSECT.BAK") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="bootmgr") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="programdata") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="appdata") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="program files") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="program files (x86)") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="microsoft") returned 1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="sophos") returned 1 [0107.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0107.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0107.690] PathFindExtensionW (pszPath="XJRV8whtuNcitbsheVtm.gif") returned=".gif" [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0107.690] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0107.690] lstrcmpiW (lpString1="XJRV8whtuNcitbsheVtm.gif", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680530 [0107.690] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Pictures\\XJRV8whtuNcitbsheVtm.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\xjrv8whtuncitbshevtm.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.691] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=69619) returned 1 [0107.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.691] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.691] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d29c0 [0107.691] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.691] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d29c0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d29c0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.693] GetTickCount () returned 0x115c0db [0107.693] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0107.693] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0107.693] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10ff3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.693] SetLastError (dwErrCode=0x0) [0107.693] WriteFile (in: hFile=0x26c, lpBuffer=0x29d1e58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d1e58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.694] GetLastError () returned 0x0 [0107.694] GetLastError () returned 0x0 [0107.694] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x110f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.694] WriteFile (in: hFile=0x26c, lpBuffer=0x29d29c0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d29c0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.694] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x111f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.694] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b2f3ad7, dwHighDateTime=0x1d5f971)) [0107.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0107.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.694] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.694] GetProcessHeap () returned 0xbc0000 [0107.694] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10ff3) returned 0xbf1630 [0107.696] GetSystemDefaultLangID () returned 0xbd0409 [0107.696] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.696] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x10ff3, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x10ff3, lpOverlapped=0x0) returned 1 [0107.700] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.700] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x10ff3, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x10ff3, lpOverlapped=0x0) returned 1 [0107.700] GetProcessHeap () returned 0xbc0000 [0107.700] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0107.700] CloseHandle (hObject=0x26c) returned 1 [0107.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d1e58 | out: hHeap=0x2680000) returned 1 [0107.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d29c0 | out: hHeap=0x2680000) returned 1 [0107.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2d0 | out: hHeap=0x2680000) returned 1 [0107.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e258 | out: hHeap=0x2680000) returned 1 [0107.700] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0107.700] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Pictures\\XJRV8whtuNcitbsheVtm.gif" (normalized: "c:\\users\\fd1hvy\\pictures\\xjrv8whtuncitbshevtm.gif"), lpNewFileName="C:\\Users\\FD1HVy\\Pictures\\XJRV8whtuNcitbsheVtm.gif.NEFILIM" (normalized: "c:\\users\\fd1hvy\\pictures\\xjrv8whtuncitbshevtm.gif.nefilim")) returned 1 [0107.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680530 | out: hHeap=0x2680000) returned 1 [0107.701] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x568ae2f0, ftCreationTime.dwHighDateTime=0x1d5e327, ftLastAccessTime.dwLowDateTime=0xfc99d700, ftLastAccessTime.dwHighDateTime=0x1d5edbd, ftLastWriteTime.dwLowDateTime=0xfc99d700, ftLastWriteTime.dwHighDateTime=0x1d5edbd, nFileSizeHigh=0x0, nFileSizeLow=0x10ff3, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="XJRV8whtuNcitbsheVtm.gif", cAlternateFileName="XJRV8W~1.GIF")) returned 0 [0107.701] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0107.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.701] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="PrintHood", cAlternateFileName="PRINTH~1")) returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2=".") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="..") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="...") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="windows") returned -1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="$RECYCLE.BIN") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="rsa") returned -1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="NTDETECT.COM") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="ntldr") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="MSDOS.SYS") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="IO.SYS") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="boot.ini") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="AUTOEXEC.BAT") returned 1 [0107.701] lstrcmpiW (lpString1="PrintHood", lpString2="ntuser.dat") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="desktop.ini") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="CONFIG.SYS") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="RECYCLER") returned -1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="BOOTSECT.BAK") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="bootmgr") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="programdata") returned -1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="appdata") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="program files") returned -1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="program files (x86)") returned -1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="microsoft") returned 1 [0107.702] lstrcmpiW (lpString1="PrintHood", lpString2="sophos") returned -1 [0107.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0107.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0107.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.702] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\PrintHood\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0x568ae2f0, ftCreationTime.dwHighDateTime=0x1d5e327, ftLastAccessTime.dwLowDateTime=0xfc99d700, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xfc99d700, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x10ff3, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ4")) returned 0xffffffff [0107.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.702] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2=".") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="..") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="...") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="windows") returned -1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="$RECYCLE.BIN") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="rsa") returned -1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="NTDETECT.COM") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="ntldr") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="MSDOS.SYS") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="IO.SYS") returned 1 [0107.702] lstrcmpiW (lpString1="Recent", lpString2="boot.ini") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="AUTOEXEC.BAT") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="ntuser.dat") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="desktop.ini") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="CONFIG.SYS") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="RECYCLER") returned -1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="BOOTSECT.BAK") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="bootmgr") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="programdata") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="appdata") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="program files") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="program files (x86)") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="microsoft") returned 1 [0107.703] lstrcmpiW (lpString1="Recent", lpString2="sophos") returned -1 [0107.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0107.703] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0107.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0107.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.703] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Recent\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0x568ae2f0, ftCreationTime.dwHighDateTime=0x1d5e327, ftLastAccessTime.dwLowDateTime=0xfc99d700, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0xfc99d700, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x10ff3, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="", cAlternateFileName="ɛ⊺Ċɨɨ.")) returned 0xffffffff [0107.703] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.703] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0107.703] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0107.703] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Saved Games", cAlternateFileName="SAVEDG~1")) returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2=".") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="..") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="...") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="windows") returned -1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="$RECYCLE.BIN") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="rsa") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="NTDETECT.COM") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="ntldr") returned 1 [0107.703] lstrcmpiW (lpString1="Saved Games", lpString2="MSDOS.SYS") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="IO.SYS") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="boot.ini") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="AUTOEXEC.BAT") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="ntuser.dat") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="desktop.ini") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="CONFIG.SYS") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="RECYCLER") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="BOOTSECT.BAK") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="bootmgr") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="programdata") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="appdata") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="program files") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="program files (x86)") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="microsoft") returned 1 [0107.704] lstrcmpiW (lpString1="Saved Games", lpString2="sophos") returned -1 [0107.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.704] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0107.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0107.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0107.704] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.704] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Saved Games\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0107.704] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.704] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd45b644a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="..", cAlternateFileName="")) returned 1 [0107.704] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.704] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.704] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0107.704] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0107.704] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0107.704] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0107.704] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0107.705] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0107.705] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x441f699e, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x441f699e, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce4e13d2, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0107.705] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0107.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.705] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.705] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Searches", cAlternateFileName="")) returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2=".") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="..") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="...") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="windows") returned -1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="$RECYCLE.BIN") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="rsa") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="NTDETECT.COM") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="ntldr") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="MSDOS.SYS") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="IO.SYS") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="boot.ini") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="AUTOEXEC.BAT") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="ntuser.dat") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="desktop.ini") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="CONFIG.SYS") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="RECYCLER") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="BOOTSECT.BAK") returned 1 [0107.705] lstrcmpiW (lpString1="Searches", lpString2="bootmgr") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="programdata") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="appdata") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="program files") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="program files (x86)") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="microsoft") returned 1 [0107.706] lstrcmpiW (lpString1="Searches", lpString2="sophos") returned -1 [0107.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0107.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0107.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.706] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Searches\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName=".", cAlternateFileName="")) returned 0xbe2788 [0107.706] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.706] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xd462426d, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="..", cAlternateFileName="")) returned 1 [0107.706] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.706] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.706] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x44137e3b, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44137e3b, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x20c, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0107.706] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0107.707] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0107.707] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0107.707] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0107.707] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0107.707] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44269063, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44269063, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44269063, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="Everywhere.search-ms", cAlternateFileName="EVERYW~1.SEA")) returned 1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2=".") returned 1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="..") returned 1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="...") returned 1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="windows") returned -1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="rsa") returned -1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NTDETECT.COM") returned -1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntldr") returned -1 [0107.707] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="MSDOS.SYS") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="IO.SYS") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="boot.ini") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="ntuser.dat") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="desktop.ini") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="CONFIG.SYS") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="RECYCLER") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="bootmgr") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="programdata") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="appdata") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="program files (x86)") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="microsoft") returned -1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="sophos") returned -1 [0107.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680500 [0107.708] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.708] PathFindExtensionW (pszPath="Everywhere.search-ms") returned=".search-ms" [0107.708] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2680568 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".NEFILIM") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0107.708] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0107.708] lstrcmpiW (lpString1="Everywhere.search-ms", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0107.709] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Everywhere.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\everywhere.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0107.709] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=75031468087965748) returned 0 [0107.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e288 [0107.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e258 [0107.709] SystemFunction036 (in: RandomBuffer=0x268e288, RandomBufferLength=0x10 | out: RandomBuffer=0x268e288) returned 1 [0107.709] SystemFunction036 (in: RandomBuffer=0x268e258, RandomBufferLength=0x10 | out: RandomBuffer=0x268e258) returned 1 [0107.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d1e58 [0107.709] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d28b8 [0107.710] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d1e58*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.710] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d28b8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d28b8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.710] GetTickCount () returned 0x115c0eb [0107.710] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0107.710] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0107.710] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0107.710] SetLastError (dwErrCode=0x0) [0107.710] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d1e58, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0) returned 0 [0107.710] GetLastError () returned 0x6 [0107.710] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.710] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680568 | out: hHeap=0x2680000) returned 1 [0107.710] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x23, ftCreationTime.dwLowDateTime=0x44242e24, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x44242e24, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x44242e24, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0xf8, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="Indexed Locations.search-ms", cAlternateFileName="INDEXE~1.SEA")) returned 1 [0107.710] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2=".") returned 1 [0107.710] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="..") returned 1 [0107.710] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="...") returned 1 [0107.710] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="windows") returned -1 [0107.710] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="rsa") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NTDETECT.COM") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntldr") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="MSDOS.SYS") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="IO.SYS") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="boot.ini") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="AUTOEXEC.BAT") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="ntuser.dat") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="desktop.ini") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="CONFIG.SYS") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="RECYCLER") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="BOOTSECT.BAK") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="bootmgr") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="programdata") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="appdata") returned 1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="program files (x86)") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="microsoft") returned -1 [0107.711] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="sophos") returned -1 [0107.711] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0107.711] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0107.711] PathFindExtensionW (pszPath="Indexed Locations.search-ms") returned=".search-ms" [0107.711] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x268e360 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".exe") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".log") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".cab") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".cmd") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".com") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".cpl") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".ini") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".dll") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".url") returned -1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".ttf") returned -1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".mp3") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".pif") returned 1 [0107.711] lstrcmpiW (lpString1=".search-ms", lpString2=".mp4") returned 1 [0107.712] lstrcmpiW (lpString1=".search-ms", lpString2=".NEFILIM") returned 1 [0107.712] lstrcmpiW (lpString1=".search-ms", lpString2=".msi") returned 1 [0107.712] lstrcmpiW (lpString1=".search-ms", lpString2=".lnk") returned 1 [0107.712] lstrcmpiW (lpString1="Indexed Locations.search-ms", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0107.712] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\Indexed Locations.search-ms" (normalized: "c:\\users\\fd1hvy\\searches\\indexed locations.search-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0107.712] GetFileSizeEx (in: hFile=0xffffffff, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=75031468087965748) returned 0 [0107.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e270 [0107.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e2d0 [0107.712] SystemFunction036 (in: RandomBuffer=0x268e270, RandomBufferLength=0x10 | out: RandomBuffer=0x268e270) returned 1 [0107.712] SystemFunction036 (in: RandomBuffer=0x268e2d0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e2d0) returned 1 [0107.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d29c0 [0107.712] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3938 [0107.712] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d29c0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d29c0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.712] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3938*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3938*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.714] GetTickCount () returned 0x115c0eb [0107.714] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0107.714] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0107.714] SetFilePointerEx (in: hFile=0xffffffff, liDistanceToMove=0x25bf834, lpNewFilePointer=0x10a90b9, dwMoveMethod=0x0 | out: lpNewFilePointer=0x10a90b9*=-8427287629222620021) returned 0 [0107.714] SetLastError (dwErrCode=0x0) [0107.714] WriteFile (in: hFile=0xffffffff, lpBuffer=0x29d29c0, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0) returned 0 [0107.714] GetLastError () returned 0x6 [0107.714] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.714] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0107.714] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2=".") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="..") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="...") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="windows") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="$RECYCLE.BIN") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="rsa") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NTDETECT.COM") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ntldr") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="MSDOS.SYS") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="IO.SYS") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="boot.ini") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="AUTOEXEC.BAT") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="ntuser.dat") returned 1 [0107.714] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="desktop.ini") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="CONFIG.SYS") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="RECYCLER") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="BOOTSECT.BAK") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="bootmgr") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="programdata") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="appdata") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="program files") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="program files (x86)") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="microsoft") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="sophos") returned 1 [0107.715] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x26804b8 [0107.715] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.715] PathFindExtensionW (pszPath="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms") returned=".searchconnector-ms" [0107.715] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".exe") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".log") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cab") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cmd") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".com") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".cpl") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".ini") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".dll") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".url") returned -1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".ttf") returned -1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".mp3") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".pif") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".mp4") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".NEFILIM") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".msi") returned 1 [0107.715] lstrcmpiW (lpString1=".searchconnector-ms", lpString2=".lnk") returned 1 [0107.715] lstrcmpiW (lpString1="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.715] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x268e2e8 [0107.715] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0107.757] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=855) returned 1 [0107.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ea88 [0107.757] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.757] SystemFunction036 (in: RandomBuffer=0x268ea88, RandomBufferLength=0x10 | out: RandomBuffer=0x268ea88) returned 1 [0107.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0107.757] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0107.757] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25beab8*=0x100) returned 1 [0107.759] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0107.759] GetTickCount () returned 0x115c11a [0107.759] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0107.759] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0107.759] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x357, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.759] SetLastError (dwErrCode=0x0) [0107.759] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.761] GetLastError () returned 0x0 [0107.761] GetLastError () returned 0x0 [0107.761] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x457, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.761] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0107.762] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x557, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.762] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b38c6a5, dwHighDateTime=0x1d5f971)) [0107.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0107.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.762] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0107.762] GetProcessHeap () returned 0xbc0000 [0107.762] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x357) returned 0xbe3f48 [0107.762] GetSystemDefaultLangID () returned 0xbd0409 [0107.762] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.762] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x357, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x357, lpOverlapped=0x0) returned 1 [0107.762] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.762] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x357, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x357, lpOverlapped=0x0) returned 1 [0107.762] GetProcessHeap () returned 0xbc0000 [0107.762] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0107.762] CloseHandle (hObject=0x26c) returned 1 [0107.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0107.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0107.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.762] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea88 | out: hHeap=0x2680000) returned 1 [0107.762] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xe0) returned 0x268bd90 [0107.762] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms"), lpNewFileName="C:\\Users\\FD1HVy\\Searches\\winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.NEFILIM" (normalized: "c:\\users\\fd1hvy\\searches\\winrt--{s-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms.nefilim")) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0107.763] FindNextFileW (in: hFindFile=0xbe2788, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891-1000}-.searchconnector-ms", cAlternateFileName="WINRT-~1.SEA")) returned 0 [0107.763] FindClose (in: hFindFile=0xbe2788 | out: hFindFile=0xbe2788) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.763] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0107.763] lstrcmpiW (lpString1="SendTo", lpString2=".") returned 1 [0107.763] lstrcmpiW (lpString1="SendTo", lpString2="..") returned 1 [0107.763] lstrcmpiW (lpString1="SendTo", lpString2="...") returned 1 [0107.763] lstrcmpiW (lpString1="SendTo", lpString2="windows") returned -1 [0107.763] lstrcmpiW (lpString1="SendTo", lpString2="$RECYCLE.BIN") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="rsa") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="NTDETECT.COM") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="ntldr") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="MSDOS.SYS") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="IO.SYS") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="boot.ini") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="AUTOEXEC.BAT") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="ntuser.dat") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="desktop.ini") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="CONFIG.SYS") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="RECYCLER") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="BOOTSECT.BAK") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="bootmgr") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="programdata") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="appdata") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="program files") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="program files (x86)") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="microsoft") returned 1 [0107.764] lstrcmpiW (lpString1="SendTo", lpString2="sophos") returned -1 [0107.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0107.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0107.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.764] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\SendTo\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x0, nFileSizeLow=0x357, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="winrt--{S-1-5-21-1051304884-625712362-2192934891ᗊ瞛搠싹ተɨ", cAlternateFileName="ɛ⊺Ċɨɨ.")) returned 0xffffffff [0107.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0107.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0107.764] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0107.764] lstrcmpiW (lpString1="Start Menu", lpString2=".") returned 1 [0107.764] lstrcmpiW (lpString1="Start Menu", lpString2="..") returned 1 [0107.764] lstrcmpiW (lpString1="Start Menu", lpString2="...") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="windows") returned -1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="$RECYCLE.BIN") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="rsa") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="NTDETECT.COM") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="ntldr") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="MSDOS.SYS") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="IO.SYS") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="boot.ini") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="AUTOEXEC.BAT") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="ntuser.dat") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="desktop.ini") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="CONFIG.SYS") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="RECYCLER") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="BOOTSECT.BAK") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="bootmgr") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="programdata") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="appdata") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="program files") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="program files (x86)") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="microsoft") returned 1 [0107.765] lstrcmpiW (lpString1="Start Menu", lpString2="sophos") returned 1 [0107.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0107.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0107.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.765] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Start Menu\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1d32722, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="", cAlternateFileName="ɛ⊺Ċቸɨᒸɨ6")) returned 0xffffffff [0107.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.765] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.765] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x211de47b, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x211de47b, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x211de47b, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0107.765] lstrcmpiW (lpString1="Templates", lpString2=".") returned 1 [0107.765] lstrcmpiW (lpString1="Templates", lpString2="..") returned 1 [0107.765] lstrcmpiW (lpString1="Templates", lpString2="...") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="windows") returned -1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="$RECYCLE.BIN") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="rsa") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="NTDETECT.COM") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="ntldr") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="MSDOS.SYS") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="IO.SYS") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="boot.ini") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="AUTOEXEC.BAT") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="ntuser.dat") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="desktop.ini") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="CONFIG.SYS") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="RECYCLER") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="BOOTSECT.BAK") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="bootmgr") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="programdata") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="appdata") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="program files") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="program files (x86)") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="microsoft") returned 1 [0107.766] lstrcmpiW (lpString1="Templates", lpString2="sophos") returned 1 [0107.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0107.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0107.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0107.766] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Templates\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0x2b71b019, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x2b71b019, ftLastAccessTime.dwHighDateTime=0xb00000b, ftLastWriteTime.dwLowDateTime=0x2b71b019, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x14000014, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="", cAlternateFileName="ɛ⊺Ċᒸɨቸɨ4")) returned 0xffffffff [0107.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0107.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0107.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.766] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58736d0, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58736d0, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0107.766] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0107.766] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0107.767] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0107.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e7a0 [0107.767] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0107.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0107.767] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.767] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58736d0, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58736d0, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0107.767] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.767] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58736d0, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58736d0, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="..", cAlternateFileName="")) returned 1 [0107.767] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.767] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.767] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x70da2490, ftCreationTime.dwHighDateTime=0x1d5f097, ftLastAccessTime.dwLowDateTime=0x630be6d0, ftLastAccessTime.dwHighDateTime=0x1d5ed3d, ftLastWriteTime.dwLowDateTime=0x630be6d0, ftLastWriteTime.dwHighDateTime=0x1d5ed3d, nFileSizeHigh=0x0, nFileSizeLow=0xeae3, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="3PBVHs6BGCuqjg.mp4", cAlternateFileName="3PBVHS~1.MP4")) returned 1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2=".") returned 1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="..") returned 1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="...") returned 1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="windows") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="$RECYCLE.BIN") returned 1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="rsa") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="NTDETECT.COM") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="ntldr") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="MSDOS.SYS") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="IO.SYS") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="boot.ini") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="ntuser.dat") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="desktop.ini") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="CONFIG.SYS") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="RECYCLER") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="BOOTSECT.BAK") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="bootmgr") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="programdata") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="appdata") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="program files") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="program files (x86)") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="microsoft") returned -1 [0107.768] lstrcmpiW (lpString1="3PBVHs6BGCuqjg.mp4", lpString2="sophos") returned -1 [0107.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681278 [0107.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.768] PathFindExtensionW (pszPath="3PBVHs6BGCuqjg.mp4") returned=".mp4" [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0107.768] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0107.769] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0107.769] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0107.769] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0107.769] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0107.769] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f187a40, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0xca9c6860, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xca9c6860, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="6IKfM4zP", cAlternateFileName="")) returned 1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2=".") returned 1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="..") returned 1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="...") returned 1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="windows") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="$RECYCLE.BIN") returned 1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="rsa") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="NTDETECT.COM") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="ntldr") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="MSDOS.SYS") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="IO.SYS") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="boot.ini") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="AUTOEXEC.BAT") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="ntuser.dat") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="desktop.ini") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="CONFIG.SYS") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="RECYCLER") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="BOOTSECT.BAK") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="bootmgr") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="programdata") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="appdata") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="program files") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="program files (x86)") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="microsoft") returned -1 [0107.769] lstrcmpiW (lpString1="6IKfM4zP", lpString2="sophos") returned -1 [0107.769] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0107.769] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x5e) returned 0x26804b8 [0107.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0107.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0107.769] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0107.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0107.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0107.770] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f187a40, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0xca9c6860, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xca9c6860, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0107.770] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.770] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x2f187a40, ftCreationTime.dwHighDateTime=0x1d5ea0f, ftLastAccessTime.dwLowDateTime=0xca9c6860, ftLastAccessTime.dwHighDateTime=0x1d5e6fd, ftLastWriteTime.dwLowDateTime=0xca9c6860, ftLastWriteTime.dwHighDateTime=0x1d5e6fd, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0107.770] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.770] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.770] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x190336f0, ftCreationTime.dwHighDateTime=0x1d5f126, ftLastAccessTime.dwLowDateTime=0x19fe2270, ftLastAccessTime.dwHighDateTime=0x1d5e264, ftLastWriteTime.dwLowDateTime=0x19fe2270, ftLastWriteTime.dwHighDateTime=0x1d5e264, nFileSizeHigh=0x0, nFileSizeLow=0x13713, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="6SpNx-y.swf", cAlternateFileName="")) returned 1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2=".") returned 1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="..") returned 1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="...") returned 1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="windows") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="$RECYCLE.BIN") returned 1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="rsa") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="NTDETECT.COM") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="ntldr") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="MSDOS.SYS") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="IO.SYS") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="boot.ini") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="AUTOEXEC.BAT") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="ntuser.dat") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="desktop.ini") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="CONFIG.SYS") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="RECYCLER") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="BOOTSECT.BAK") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="bootmgr") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="programdata") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="appdata") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="program files") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="program files (x86)") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="microsoft") returned -1 [0107.770] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="sophos") returned -1 [0107.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e340 [0107.771] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.771] PathFindExtensionW (pszPath="6SpNx-y.swf") returned=".swf" [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0107.771] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0107.771] lstrcmpiW (lpString1="6SpNx-y.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0107.771] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\6SpNx-y.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\6spnx-y.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.771] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=79635) returned 1 [0107.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb48 [0107.771] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.771] SystemFunction036 (in: RandomBuffer=0x268eb48, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb48) returned 1 [0107.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0107.772] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0107.772] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.772] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.772] GetTickCount () returned 0x115c129 [0107.772] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0107.772] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0107.772] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13713, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.772] SetLastError (dwErrCode=0x0) [0107.772] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.773] GetLastError () returned 0x0 [0107.773] GetLastError () returned 0x0 [0107.773] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13813, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.773] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.773] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13913, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.773] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b3b286b, dwHighDateTime=0x1d5f971)) [0107.773] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.773] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.773] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.773] GetProcessHeap () returned 0xbc0000 [0107.773] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13713) returned 0xbf2638 [0107.774] GetSystemDefaultLangID () returned 0xbd0409 [0107.774] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.774] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13713, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13713, lpOverlapped=0x0) returned 1 [0107.778] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.778] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13713, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13713, lpOverlapped=0x0) returned 1 [0107.778] GetProcessHeap () returned 0xbc0000 [0107.778] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.778] CloseHandle (hObject=0x270) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb48 | out: hHeap=0x2680000) returned 1 [0107.779] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0107.779] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\6SpNx-y.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\6spnx-y.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\6SpNx-y.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\6spnx-y.swf.nefilim")) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0107.779] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.779] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x161de3d0, ftCreationTime.dwHighDateTime=0x1d5ee11, ftLastAccessTime.dwLowDateTime=0xe5cd5af0, ftLastAccessTime.dwHighDateTime=0x1d5e468, ftLastWriteTime.dwLowDateTime=0xe5cd5af0, ftLastWriteTime.dwHighDateTime=0x1d5e468, nFileSizeHigh=0x0, nFileSizeLow=0x2556, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="eqbLeDNa3tqlYyWErD.mkv", cAlternateFileName="EQBLED~1.MKV")) returned 1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2=".") returned 1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="..") returned 1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="...") returned 1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="windows") returned -1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="$RECYCLE.BIN") returned 1 [0107.779] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="rsa") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="NTDETECT.COM") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="ntldr") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="MSDOS.SYS") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="IO.SYS") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="boot.ini") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="ntuser.dat") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="desktop.ini") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="CONFIG.SYS") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="RECYCLER") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="BOOTSECT.BAK") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="bootmgr") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="programdata") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="appdata") returned 1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="program files") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="program files (x86)") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="microsoft") returned -1 [0107.780] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="sophos") returned -1 [0107.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.780] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0107.780] PathFindExtensionW (pszPath="eqbLeDNa3tqlYyWErD.mkv") returned=".mkv" [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0107.780] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0107.781] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0107.781] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0107.781] lstrcmpiW (lpString1="eqbLeDNa3tqlYyWErD.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0107.781] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\eqbLeDNa3tqlYyWErD.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\eqbledna3tqlyywerd.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.781] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=9558) returned 1 [0107.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ebf0 [0107.781] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.781] SystemFunction036 (in: RandomBuffer=0x268ebf0, RandomBufferLength=0x10 | out: RandomBuffer=0x268ebf0) returned 1 [0107.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0107.781] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0107.781] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.781] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.782] GetTickCount () returned 0x115c129 [0107.782] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0107.782] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0107.782] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2556, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.782] SetLastError (dwErrCode=0x0) [0107.782] WriteFile (in: hFile=0x270, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.783] GetLastError () returned 0x0 [0107.783] GetLastError () returned 0x0 [0107.783] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2656, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.783] WriteFile (in: hFile=0x270, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.783] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2756, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.783] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b3b286b, dwHighDateTime=0x1d5f971)) [0107.783] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.783] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.783] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.783] GetProcessHeap () returned 0xbc0000 [0107.783] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2556) returned 0xbf2638 [0107.783] GetSystemDefaultLangID () returned 0xbd0409 [0107.783] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.783] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2556, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2556, lpOverlapped=0x0) returned 1 [0107.784] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.784] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2556, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2556, lpOverlapped=0x0) returned 1 [0107.784] GetProcessHeap () returned 0xbc0000 [0107.784] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.784] CloseHandle (hObject=0x270) returned 1 [0107.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0107.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0107.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.784] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebf0 | out: hHeap=0x2680000) returned 1 [0107.784] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0107.784] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\eqbLeDNa3tqlYyWErD.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\eqbledna3tqlyywerd.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\eqbLeDNa3tqlYyWErD.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\eqbledna3tqlyywerd.mkv.nefilim")) returned 1 [0107.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.785] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe9d56500, ftCreationTime.dwHighDateTime=0x1d5e631, ftLastAccessTime.dwLowDateTime=0x6e2c6830, ftLastAccessTime.dwHighDateTime=0x1d5e0c9, ftLastWriteTime.dwLowDateTime=0x6e2c6830, ftLastWriteTime.dwHighDateTime=0x1d5e0c9, nFileSizeHigh=0x0, nFileSizeLow=0xafd3, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="F0eiPFF0.avi", cAlternateFileName="")) returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2=".") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="..") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="...") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="windows") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="$RECYCLE.BIN") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="rsa") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="NTDETECT.COM") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="ntldr") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="MSDOS.SYS") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="IO.SYS") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="boot.ini") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="AUTOEXEC.BAT") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="ntuser.dat") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="desktop.ini") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="CONFIG.SYS") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="RECYCLER") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="BOOTSECT.BAK") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="bootmgr") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="programdata") returned -1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="appdata") returned 1 [0107.785] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="program files") returned -1 [0107.786] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="program files (x86)") returned -1 [0107.786] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="microsoft") returned -1 [0107.786] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="sophos") returned -1 [0107.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be08 [0107.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.786] PathFindExtensionW (pszPath="F0eiPFF0.avi") returned=".avi" [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0107.786] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0107.786] lstrcmpiW (lpString1="F0eiPFF0.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be70 [0107.786] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\F0eiPFF0.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\f0eipff0.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.786] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=45011) returned 1 [0107.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.786] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb90 [0107.786] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.787] SystemFunction036 (in: RandomBuffer=0x268eb90, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb90) returned 1 [0107.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0107.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0107.787] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.787] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.787] GetTickCount () returned 0x115c139 [0107.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0107.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0107.787] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xafd3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.787] SetLastError (dwErrCode=0x0) [0107.787] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.788] GetLastError () returned 0x0 [0107.788] GetLastError () returned 0x0 [0107.788] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb0d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.788] WriteFile (in: hFile=0x270, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.788] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xb1d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.788] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b3d8b41, dwHighDateTime=0x1d5f971)) [0107.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.788] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.788] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.789] GetProcessHeap () returned 0xbc0000 [0107.789] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xafd3) returned 0xbf2638 [0107.789] GetSystemDefaultLangID () returned 0xbd0409 [0107.789] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.789] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xafd3, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xafd3, lpOverlapped=0x0) returned 1 [0107.791] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.791] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xafd3, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xafd3, lpOverlapped=0x0) returned 1 [0107.791] GetProcessHeap () returned 0xbc0000 [0107.791] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.793] CloseHandle (hObject=0x270) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb90 | out: hHeap=0x2680000) returned 1 [0107.793] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0107.793] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\F0eiPFF0.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\f0eipff0.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\F0eiPFF0.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\f0eipff0.avi.nefilim")) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.793] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be70 | out: hHeap=0x2680000) returned 1 [0107.793] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a130a00, ftCreationTime.dwHighDateTime=0x1d5e60d, ftLastAccessTime.dwLowDateTime=0x3cad7c80, ftLastAccessTime.dwHighDateTime=0x1d5ee4e, ftLastWriteTime.dwLowDateTime=0x3cad7c80, ftLastWriteTime.dwHighDateTime=0x1d5ee4e, nFileSizeHigh=0x0, nFileSizeLow=0x169c9, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="fPkDbmmCX.mkv", cAlternateFileName="FPKDBM~1.MKV")) returned 1 [0107.793] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2=".") returned 1 [0107.793] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="..") returned 1 [0107.793] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="...") returned 1 [0107.793] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="windows") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="$RECYCLE.BIN") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="rsa") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="NTDETECT.COM") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="ntldr") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="MSDOS.SYS") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="IO.SYS") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="boot.ini") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="ntuser.dat") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="desktop.ini") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="CONFIG.SYS") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="RECYCLER") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="BOOTSECT.BAK") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="bootmgr") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="programdata") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="appdata") returned 1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="program files") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="program files (x86)") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="microsoft") returned -1 [0107.794] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="sophos") returned -1 [0107.794] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be70 [0107.794] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0107.794] PathFindExtensionW (pszPath="fPkDbmmCX.mkv") returned=".mkv" [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0107.794] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0107.795] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0107.795] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0107.795] lstrcmpiW (lpString1="fPkDbmmCX.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0107.795] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\fPkDbmmCX.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\fpkdbmmcx.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0107.795] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=92617) returned 1 [0107.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eab8 [0107.795] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.795] SystemFunction036 (in: RandomBuffer=0x268eab8, RandomBufferLength=0x10 | out: RandomBuffer=0x268eab8) returned 1 [0107.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d30f8 [0107.795] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3830 [0107.795] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d30f8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d30f8*, pdwDataLen=0x25be798*=0x100) returned 1 [0107.797] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3830*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3830*, pdwDataLen=0x25be794*=0x100) returned 1 [0107.797] GetTickCount () returned 0x115c139 [0107.797] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0107.797] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0107.797] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x169c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.797] SetLastError (dwErrCode=0x0) [0107.797] WriteFile (in: hFile=0x270, lpBuffer=0x29d30f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d30f8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.798] GetLastError () returned 0x0 [0107.798] GetLastError () returned 0x0 [0107.798] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16ac9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.798] WriteFile (in: hFile=0x270, lpBuffer=0x29d3830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3830*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0107.798] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x16bc9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.798] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b3d8b41, dwHighDateTime=0x1d5f971)) [0107.798] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.798] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.798] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0107.798] GetProcessHeap () returned 0xbc0000 [0107.798] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x169c9) returned 0xbf2638 [0107.798] GetSystemDefaultLangID () returned 0xbd0409 [0107.798] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.798] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x169c9, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x169c9, lpOverlapped=0x0) returned 1 [0107.867] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.867] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x169c9, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x169c9, lpOverlapped=0x0) returned 1 [0107.867] GetProcessHeap () returned 0xbc0000 [0107.867] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0107.867] CloseHandle (hObject=0x270) returned 1 [0107.867] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d30f8 | out: hHeap=0x2680000) returned 1 [0107.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3830 | out: hHeap=0x2680000) returned 1 [0107.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eab8 | out: hHeap=0x2680000) returned 1 [0107.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0107.868] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\fPkDbmmCX.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\fpkdbmmcx.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\fPkDbmmCX.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\fpkdbmmcx.mkv.nefilim")) returned 1 [0107.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0107.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0107.868] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67c42280, ftCreationTime.dwHighDateTime=0x1d5ea2e, ftLastAccessTime.dwLowDateTime=0xe2e2f660, ftLastAccessTime.dwHighDateTime=0x1d5e643, ftLastWriteTime.dwLowDateTime=0xe2e2f660, ftLastWriteTime.dwHighDateTime=0x1d5e643, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="QA60XTAA", cAlternateFileName="")) returned 1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2=".") returned 1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="..") returned 1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="...") returned 1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="windows") returned -1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="$RECYCLE.BIN") returned 1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="rsa") returned -1 [0107.868] lstrcmpiW (lpString1="QA60XTAA", lpString2="NTDETECT.COM") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="ntldr") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="MSDOS.SYS") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="IO.SYS") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="boot.ini") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="AUTOEXEC.BAT") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="ntuser.dat") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="desktop.ini") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="CONFIG.SYS") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="RECYCLER") returned -1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="BOOTSECT.BAK") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="bootmgr") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="programdata") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="appdata") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="program files") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="program files (x86)") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="microsoft") returned 1 [0107.869] lstrcmpiW (lpString1="QA60XTAA", lpString2="sophos") returned -1 [0107.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0107.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be70 | out: hHeap=0x2680000) returned 1 [0107.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0107.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268be60 [0107.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0107.869] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67c42280, ftCreationTime.dwHighDateTime=0x1d5ea2e, ftLastAccessTime.dwLowDateTime=0xe2e2f660, ftLastAccessTime.dwHighDateTime=0x1d5e643, ftLastWriteTime.dwLowDateTime=0xe2e2f660, ftLastWriteTime.dwHighDateTime=0x1d5e643, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0107.869] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.869] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x67c42280, ftCreationTime.dwHighDateTime=0x1d5ea2e, ftLastAccessTime.dwLowDateTime=0xe2e2f660, ftLastAccessTime.dwHighDateTime=0x1d5e643, ftLastWriteTime.dwLowDateTime=0xe2e2f660, ftLastWriteTime.dwHighDateTime=0x1d5e643, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0107.869] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.869] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.869] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdb58fcc0, ftCreationTime.dwHighDateTime=0x1d5e362, ftLastAccessTime.dwLowDateTime=0x7acbc320, ftLastAccessTime.dwHighDateTime=0x1d5ed48, ftLastWriteTime.dwLowDateTime=0x7acbc320, ftLastWriteTime.dwHighDateTime=0x1d5ed48, nFileSizeHigh=0x0, nFileSizeLow=0x1976, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="1zdeLP.mp4", cAlternateFileName="")) returned 1 [0107.869] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2=".") returned 1 [0107.869] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="..") returned 1 [0107.869] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="...") returned 1 [0107.869] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="windows") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="$RECYCLE.BIN") returned 1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="rsa") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="NTDETECT.COM") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="ntldr") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="MSDOS.SYS") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="IO.SYS") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="boot.ini") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="ntuser.dat") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="desktop.ini") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="CONFIG.SYS") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="RECYCLER") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="BOOTSECT.BAK") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="bootmgr") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="programdata") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="appdata") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="program files") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="program files (x86)") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="microsoft") returned -1 [0107.870] lstrcmpiW (lpString1="1zdeLP.mp4", lpString2="sophos") returned -1 [0107.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0107.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.870] PathFindExtensionW (pszPath="1zdeLP.mp4") returned=".mp4" [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0107.870] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0107.871] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf8dfd10, ftCreationTime.dwHighDateTime=0x1d5e595, ftLastAccessTime.dwLowDateTime=0x8d1c8860, ftLastAccessTime.dwHighDateTime=0x1d5e394, ftLastWriteTime.dwLowDateTime=0x8d1c8860, ftLastWriteTime.dwHighDateTime=0x1d5e394, nFileSizeHigh=0x0, nFileSizeLow=0x2242, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="bGA4M OccBxjgjjh.avi", cAlternateFileName="BGA4MO~1.AVI")) returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2=".") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="..") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="...") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="windows") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="$RECYCLE.BIN") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="rsa") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="NTDETECT.COM") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="ntldr") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="MSDOS.SYS") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="IO.SYS") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="boot.ini") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="AUTOEXEC.BAT") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="ntuser.dat") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="desktop.ini") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="CONFIG.SYS") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="RECYCLER") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="BOOTSECT.BAK") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="bootmgr") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="programdata") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="appdata") returned 1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="program files") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="program files (x86)") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="microsoft") returned -1 [0107.871] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="sophos") returned -1 [0107.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0107.871] PathFindExtensionW (pszPath="bGA4M OccBxjgjjh.avi") returned=".avi" [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0107.871] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0107.872] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0107.872] lstrcmpiW (lpString1="bGA4M OccBxjgjjh.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0107.872] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\bGA4M OccBxjgjjh.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\bga4m occbxjgjjh.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0107.872] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=8770) returned 1 [0107.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e8c0 [0107.872] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.872] SystemFunction036 (in: RandomBuffer=0x268e8c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e8c0) returned 1 [0107.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0107.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0107.872] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be478*=0x100) returned 1 [0107.874] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be474*=0x100) returned 1 [0107.875] GetTickCount () returned 0x115c187 [0107.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.875] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.875] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2242, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.875] SetLastError (dwErrCode=0x0) [0107.875] WriteFile (in: hFile=0x274, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.876] GetLastError () returned 0x0 [0107.876] GetLastError () returned 0x0 [0107.876] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2342, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.876] WriteFile (in: hFile=0x274, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.876] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2442, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.876] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b497531, dwHighDateTime=0x1d5f971)) [0107.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.877] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0107.877] GetProcessHeap () returned 0xbc0000 [0107.877] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2242) returned 0xbf3640 [0107.877] GetSystemDefaultLangID () returned 0xbd0409 [0107.877] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.877] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x2242, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x2242, lpOverlapped=0x0) returned 1 [0107.877] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.877] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x2242, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x2242, lpOverlapped=0x0) returned 1 [0107.877] GetProcessHeap () returned 0xbc0000 [0107.877] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0107.877] CloseHandle (hObject=0x274) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8c0 | out: hHeap=0x2680000) returned 1 [0107.878] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec90 [0107.878] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\bGA4M OccBxjgjjh.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\bga4m occbxjgjjh.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\bGA4M OccBxjgjjh.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\bga4m occbxjgjjh.avi.nefilim")) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0107.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.878] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa2b5e590, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0xa43d9470, ftLastAccessTime.dwHighDateTime=0x1d5e593, ftLastWriteTime.dwLowDateTime=0xa43d9470, ftLastWriteTime.dwHighDateTime=0x1d5e593, nFileSizeHigh=0x0, nFileSizeLow=0x10848, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="JCkWR7jZb.flv", cAlternateFileName="JCKWR7~1.FLV")) returned 1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2=".") returned 1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="..") returned 1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="...") returned 1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="windows") returned -1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="$RECYCLE.BIN") returned 1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="rsa") returned -1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="NTDETECT.COM") returned -1 [0107.878] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="ntldr") returned -1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="MSDOS.SYS") returned -1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="IO.SYS") returned 1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="boot.ini") returned 1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="AUTOEXEC.BAT") returned 1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="ntuser.dat") returned -1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="desktop.ini") returned 1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="CONFIG.SYS") returned 1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="RECYCLER") returned -1 [0107.879] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="BOOTSECT.BAK") returned 1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="bootmgr") returned 1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="programdata") returned -1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="appdata") returned 1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="program files") returned -1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="program files (x86)") returned -1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="microsoft") returned -1 [0107.882] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="sophos") returned -1 [0107.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0107.882] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0107.882] PathFindExtensionW (pszPath="JCkWR7jZb.flv") returned=".flv" [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0107.882] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0107.883] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0107.883] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0107.883] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0107.883] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0107.883] lstrcmpiW (lpString1="JCkWR7jZb.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0107.883] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JCkWR7jZb.flv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jckwr7jzb.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0107.883] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=67656) returned 1 [0107.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eaa0 [0107.883] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.883] SystemFunction036 (in: RandomBuffer=0x268eaa0, RandomBufferLength=0x10 | out: RandomBuffer=0x268eaa0) returned 1 [0107.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2288 [0107.883] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0107.883] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2288*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d2288*, pdwDataLen=0x25be478*=0x100) returned 1 [0107.883] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be474*=0x100) returned 1 [0107.884] GetTickCount () returned 0x115c197 [0107.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0107.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0107.884] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10848, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.884] SetLastError (dwErrCode=0x0) [0107.884] WriteFile (in: hFile=0x274, lpBuffer=0x29d2288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2288*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.885] GetLastError () returned 0x0 [0107.885] GetLastError () returned 0x0 [0107.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10948, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.885] WriteFile (in: hFile=0x274, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10a48, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.885] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b4bd7c8, dwHighDateTime=0x1d5f971)) [0107.885] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.885] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.885] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0107.885] GetProcessHeap () returned 0xbc0000 [0107.885] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10848) returned 0xbf3640 [0107.885] GetSystemDefaultLangID () returned 0xbd0409 [0107.885] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.885] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x10848, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x10848, lpOverlapped=0x0) returned 1 [0107.889] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.889] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x10848, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x10848, lpOverlapped=0x0) returned 1 [0107.889] GetProcessHeap () returned 0xbc0000 [0107.889] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0107.889] CloseHandle (hObject=0x274) returned 1 [0107.889] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2288 | out: hHeap=0x2680000) returned 1 [0107.889] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0107.889] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.889] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eaa0 | out: hHeap=0x2680000) returned 1 [0107.889] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.889] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JCkWR7jZb.flv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jckwr7jzb.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JCkWR7jZb.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jckwr7jzb.flv.nefilim")) returned 1 [0107.890] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0107.890] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0107.890] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x40ce7b50, ftCreationTime.dwHighDateTime=0x1d5e5db, ftLastAccessTime.dwLowDateTime=0x5e3d9cb0, ftLastAccessTime.dwHighDateTime=0x1d5e307, ftLastWriteTime.dwLowDateTime=0x5e3d9cb0, ftLastWriteTime.dwHighDateTime=0x1d5e307, nFileSizeHigh=0x0, nFileSizeLow=0x10fb2, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="JEx6mzancfw2.flv", cAlternateFileName="JEX6MZ~1.FLV")) returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2=".") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="..") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="...") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="windows") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="$RECYCLE.BIN") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="rsa") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="NTDETECT.COM") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="ntldr") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="MSDOS.SYS") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="IO.SYS") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="boot.ini") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="AUTOEXEC.BAT") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="ntuser.dat") returned -1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="desktop.ini") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="CONFIG.SYS") returned 1 [0107.890] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="RECYCLER") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="BOOTSECT.BAK") returned 1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="bootmgr") returned 1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="programdata") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="appdata") returned 1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="program files") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="program files (x86)") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="microsoft") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="sophos") returned -1 [0107.891] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0107.891] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.891] PathFindExtensionW (pszPath="JEx6mzancfw2.flv") returned=".flv" [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0107.891] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0107.891] lstrcmpiW (lpString1="JEx6mzancfw2.flv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.891] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.891] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JEx6mzancfw2.flv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jex6mzancfw2.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0107.891] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=69554) returned 1 [0107.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e968 [0107.892] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.892] SystemFunction036 (in: RandomBuffer=0x268e968, RandomBufferLength=0x10 | out: RandomBuffer=0x268e968) returned 1 [0107.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0107.892] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0107.892] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be478*=0x100) returned 1 [0107.892] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25be474*=0x100) returned 1 [0107.893] GetTickCount () returned 0x115c197 [0107.893] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0107.894] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0107.894] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x10fb2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.894] SetLastError (dwErrCode=0x0) [0107.894] WriteFile (in: hFile=0x274, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.897] GetLastError () returned 0x0 [0107.897] GetLastError () returned 0x0 [0107.897] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x110b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.897] WriteFile (in: hFile=0x274, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.897] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x111b2, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.897] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b4e3a79, dwHighDateTime=0x1d5f971)) [0107.897] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.897] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.897] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0107.897] GetProcessHeap () returned 0xbc0000 [0107.897] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10fb2) returned 0xbf3640 [0107.898] GetSystemDefaultLangID () returned 0xbd0409 [0107.898] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.898] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x10fb2, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x10fb2, lpOverlapped=0x0) returned 1 [0107.902] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.902] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x10fb2, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x10fb2, lpOverlapped=0x0) returned 1 [0107.903] GetProcessHeap () returned 0xbc0000 [0107.903] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0107.903] CloseHandle (hObject=0x274) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e968 | out: hHeap=0x2680000) returned 1 [0107.903] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec90 [0107.903] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JEx6mzancfw2.flv" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jex6mzancfw2.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\JEx6mzancfw2.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\jex6mzancfw2.flv.nefilim")) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0107.903] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0107.903] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x66c0d690, ftCreationTime.dwHighDateTime=0x1d5e53c, ftLastAccessTime.dwLowDateTime=0xeaeeaa20, ftLastAccessTime.dwHighDateTime=0x1d5edb9, ftLastWriteTime.dwLowDateTime=0xeaeeaa20, ftLastWriteTime.dwHighDateTime=0x1d5edb9, nFileSizeHigh=0x0, nFileSizeLow=0xf82b, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="OwuaqoBP8B2.swf", cAlternateFileName="OWUAQO~1.SWF")) returned 1 [0107.903] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2=".") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="..") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="...") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="windows") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="$RECYCLE.BIN") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="rsa") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="NTDETECT.COM") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="ntldr") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="MSDOS.SYS") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="IO.SYS") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="boot.ini") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="AUTOEXEC.BAT") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="ntuser.dat") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="desktop.ini") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="CONFIG.SYS") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="RECYCLER") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="BOOTSECT.BAK") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="bootmgr") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="programdata") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="appdata") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="program files") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="program files (x86)") returned -1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="microsoft") returned 1 [0107.904] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="sophos") returned -1 [0107.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.904] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0107.904] PathFindExtensionW (pszPath="OwuaqoBP8B2.swf") returned=".swf" [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0107.904] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0107.905] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0107.905] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0107.905] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0107.905] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0107.905] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0107.905] lstrcmpiW (lpString1="OwuaqoBP8B2.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e2e8 [0107.905] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\OwuaqoBP8B2.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\owuaqobp8b2.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0107.905] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=63531) returned 1 [0107.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e830 [0107.905] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.905] SystemFunction036 (in: RandomBuffer=0x268e830, RandomBufferLength=0x10 | out: RandomBuffer=0x268e830) returned 1 [0107.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0107.905] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0107.905] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be478*=0x100) returned 1 [0107.907] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25be474*=0x100) returned 1 [0107.908] GetTickCount () returned 0x115c1a6 [0107.908] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.908] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.908] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf82b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.908] SetLastError (dwErrCode=0x0) [0107.908] WriteFile (in: hFile=0x274, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.909] GetLastError () returned 0x0 [0107.909] GetLastError () returned 0x0 [0107.909] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xf92b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.909] WriteFile (in: hFile=0x274, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.909] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xfa2b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.909] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b4e3a79, dwHighDateTime=0x1d5f971)) [0107.909] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.909] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.909] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0107.909] GetProcessHeap () returned 0xbc0000 [0107.909] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf82b) returned 0xbf3640 [0107.910] GetSystemDefaultLangID () returned 0xbd0409 [0107.910] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.910] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xf82b, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xf82b, lpOverlapped=0x0) returned 1 [0107.961] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.961] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xf82b, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xf82b, lpOverlapped=0x0) returned 1 [0107.962] GetProcessHeap () returned 0xbc0000 [0107.962] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0107.962] CloseHandle (hObject=0x274) returned 1 [0107.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0107.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0107.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.962] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e830 | out: hHeap=0x2680000) returned 1 [0107.962] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec90 [0107.962] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\OwuaqoBP8B2.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\owuaqobp8b2.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\OwuaqoBP8B2.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\owuaqobp8b2.swf.nefilim")) returned 1 [0107.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0107.963] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.963] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x79481140, ftCreationTime.dwHighDateTime=0x1d5edb4, ftLastAccessTime.dwLowDateTime=0xfcb27390, ftLastAccessTime.dwHighDateTime=0x1d5e995, ftLastWriteTime.dwLowDateTime=0xfcb27390, ftLastWriteTime.dwHighDateTime=0x1d5e995, nFileSizeHigh=0x0, nFileSizeLow=0xe676, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="UVoy.avi", cAlternateFileName="")) returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2=".") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="..") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="...") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="windows") returned -1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="$RECYCLE.BIN") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="rsa") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="NTDETECT.COM") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="ntldr") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="MSDOS.SYS") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="IO.SYS") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="boot.ini") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="AUTOEXEC.BAT") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="ntuser.dat") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="desktop.ini") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="CONFIG.SYS") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="RECYCLER") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="BOOTSECT.BAK") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="bootmgr") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="programdata") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="appdata") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="program files") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="program files (x86)") returned 1 [0107.963] lstrcmpiW (lpString1="UVoy.avi", lpString2="microsoft") returned 1 [0107.964] lstrcmpiW (lpString1="UVoy.avi", lpString2="sophos") returned 1 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0107.964] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0107.964] PathFindExtensionW (pszPath="UVoy.avi") returned=".avi" [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0107.964] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0107.964] lstrcmpiW (lpString1="UVoy.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0107.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\UVoy.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\uvoy.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0107.964] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=58998) returned 1 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ea28 [0107.964] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.964] SystemFunction036 (in: RandomBuffer=0x268ea28, RandomBufferLength=0x10 | out: RandomBuffer=0x268ea28) returned 1 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0107.964] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0107.965] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25be478*=0x100) returned 1 [0107.965] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be474*=0x100) returned 1 [0107.965] GetTickCount () returned 0x115c1e5 [0107.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0107.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0107.965] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe676, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.965] SetLastError (dwErrCode=0x0) [0107.965] WriteFile (in: hFile=0x274, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.966] GetLastError () returned 0x0 [0107.966] GetLastError () returned 0x0 [0107.966] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe776, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.966] WriteFile (in: hFile=0x274, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0107.966] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xe876, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b57c545, dwHighDateTime=0x1d5f971)) [0107.966] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.966] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0107.966] GetProcessHeap () returned 0xbc0000 [0107.966] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe676) returned 0xbf3640 [0107.966] GetSystemDefaultLangID () returned 0xbd0409 [0107.966] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.966] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xe676, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xe676, lpOverlapped=0x0) returned 1 [0107.969] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.969] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xe676, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xe676, lpOverlapped=0x0) returned 1 [0107.970] GetProcessHeap () returned 0xbc0000 [0107.970] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0107.970] CloseHandle (hObject=0x274) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea28 | out: hHeap=0x2680000) returned 1 [0107.970] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.970] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\UVoy.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\uvoy.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\UVoy.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\uvoy.avi.nefilim")) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0107.970] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0107.970] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa723ec20, ftCreationTime.dwHighDateTime=0x1d5e7af, ftLastAccessTime.dwLowDateTime=0x94addb10, ftLastAccessTime.dwHighDateTime=0x1d5ea51, ftLastWriteTime.dwLowDateTime=0x94addb10, ftLastWriteTime.dwHighDateTime=0x1d5ea51, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="yqrTkSjS9saLbC_eWbG", cAlternateFileName="YQRTKS~1")) returned 1 [0107.970] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2=".") returned 1 [0107.970] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="..") returned 1 [0107.970] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="...") returned 1 [0107.970] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="windows") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="$RECYCLE.BIN") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="rsa") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="NTDETECT.COM") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="ntldr") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="MSDOS.SYS") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="IO.SYS") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="boot.ini") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="AUTOEXEC.BAT") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="ntuser.dat") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="desktop.ini") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="CONFIG.SYS") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="RECYCLER") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="BOOTSECT.BAK") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="bootmgr") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="programdata") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="appdata") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="program files") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="program files (x86)") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="microsoft") returned 1 [0107.971] lstrcmpiW (lpString1="yqrTkSjS9saLbC_eWbG", lpString2="sophos") returned 1 [0107.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0107.971] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0107.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0107.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec90 [0107.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ed18 [0107.971] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa723ec20, ftCreationTime.dwHighDateTime=0x1d5e7af, ftLastAccessTime.dwLowDateTime=0x94addb10, ftLastAccessTime.dwHighDateTime=0x1d5ea51, ftLastWriteTime.dwLowDateTime=0x94addb10, ftLastWriteTime.dwHighDateTime=0x1d5ea51, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xbe2a48 [0107.971] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0107.971] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa723ec20, ftCreationTime.dwHighDateTime=0x1d5e7af, ftLastAccessTime.dwLowDateTime=0x94addb10, ftLastAccessTime.dwHighDateTime=0x1d5ea51, ftLastWriteTime.dwLowDateTime=0x94addb10, ftLastWriteTime.dwHighDateTime=0x1d5ea51, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0107.971] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0107.971] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0107.972] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5eb83f90, ftCreationTime.dwHighDateTime=0x1d5ea89, ftLastAccessTime.dwLowDateTime=0xc62b020, ftLastAccessTime.dwHighDateTime=0x1d5e63f, ftLastWriteTime.dwLowDateTime=0xc62b020, ftLastWriteTime.dwHighDateTime=0x1d5e63f, nFileSizeHigh=0x0, nFileSizeLow=0x1578, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="2yUQ.avi", cAlternateFileName="")) returned 1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2=".") returned 1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="..") returned 1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="...") returned 1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="windows") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="$RECYCLE.BIN") returned 1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="rsa") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="NTDETECT.COM") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="ntldr") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="MSDOS.SYS") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="IO.SYS") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="boot.ini") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="AUTOEXEC.BAT") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="ntuser.dat") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="desktop.ini") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="CONFIG.SYS") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="RECYCLER") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="BOOTSECT.BAK") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="bootmgr") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="programdata") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="appdata") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="program files") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="program files (x86)") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="microsoft") returned -1 [0107.972] lstrcmpiW (lpString1="2yUQ.avi", lpString2="sophos") returned -1 [0107.972] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268edb0 [0107.972] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0107.972] PathFindExtensionW (pszPath="2yUQ.avi") returned=".avi" [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0107.972] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0107.973] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0107.973] lstrcmpiW (lpString1="2yUQ.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ed18 [0107.973] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\2yUQ.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\2yuq.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0107.973] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=5496) returned 1 [0107.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb60 [0107.973] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.973] SystemFunction036 (in: RandomBuffer=0x268eb60, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb60) returned 1 [0107.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0107.973] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0107.973] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be158*=0x100) returned 1 [0107.974] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be154*=0x100) returned 1 [0107.975] GetTickCount () returned 0x115c1f5 [0107.975] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0107.975] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0107.975] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1578, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.975] SetLastError (dwErrCode=0x0) [0107.975] WriteFile (in: hFile=0x278, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.976] GetLastError () returned 0x0 [0107.976] GetLastError () returned 0x0 [0107.976] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1678, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.976] WriteFile (in: hFile=0x278, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.976] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x1778, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.976] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b5a2796, dwHighDateTime=0x1d5f971)) [0107.976] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.976] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.976] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0107.976] GetProcessHeap () returned 0xbc0000 [0107.977] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1578) returned 0xbf4648 [0107.978] GetSystemDefaultLangID () returned 0xbd0409 [0107.978] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.978] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x1578, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x1578, lpOverlapped=0x0) returned 1 [0107.978] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.978] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x1578, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x1578, lpOverlapped=0x0) returned 1 [0107.978] GetProcessHeap () returned 0xbc0000 [0107.978] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0107.978] CloseHandle (hObject=0x278) returned 1 [0107.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0107.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0107.978] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb60 | out: hHeap=0x2680000) returned 1 [0107.979] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ee48 [0107.979] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\2yUQ.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\2yuq.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\2yUQ.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\2yuq.avi.nefilim")) returned 1 [0107.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee48 | out: hHeap=0x2680000) returned 1 [0107.979] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0107.979] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcab0c2d0, ftCreationTime.dwHighDateTime=0x1d5ec23, ftLastAccessTime.dwLowDateTime=0x10556c30, ftLastAccessTime.dwHighDateTime=0x1d5e591, ftLastWriteTime.dwLowDateTime=0x10556c30, ftLastWriteTime.dwHighDateTime=0x1d5e591, nFileSizeHigh=0x0, nFileSizeLow=0x942f, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="j7TftBvi.avi", cAlternateFileName="")) returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2=".") returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="..") returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="...") returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="windows") returned -1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="$RECYCLE.BIN") returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="rsa") returned -1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="NTDETECT.COM") returned -1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="ntldr") returned -1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="MSDOS.SYS") returned -1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="IO.SYS") returned 1 [0107.979] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="boot.ini") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="AUTOEXEC.BAT") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="ntuser.dat") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="desktop.ini") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="CONFIG.SYS") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="RECYCLER") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="BOOTSECT.BAK") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="bootmgr") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="programdata") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="appdata") returned 1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="program files") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="program files (x86)") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="microsoft") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="sophos") returned -1 [0107.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ee48 [0107.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edb0 | out: hHeap=0x2680000) returned 1 [0107.980] PathFindExtensionW (pszPath="j7TftBvi.avi") returned=".avi" [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0107.980] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0107.980] lstrcmpiW (lpString1="j7TftBvi.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0107.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eef0 [0107.980] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\j7TftBvi.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\j7tftbvi.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0107.981] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=37935) returned 1 [0107.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ea10 [0107.981] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.981] SystemFunction036 (in: RandomBuffer=0x268ea10, RandomBufferLength=0x10 | out: RandomBuffer=0x268ea10) returned 1 [0107.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0107.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0107.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be158*=0x100) returned 1 [0107.981] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be154*=0x100) returned 1 [0107.981] GetTickCount () returned 0x115c1f5 [0107.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0107.981] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0107.981] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x942f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.982] SetLastError (dwErrCode=0x0) [0107.982] WriteFile (in: hFile=0x278, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.982] GetLastError () returned 0x0 [0107.982] GetLastError () returned 0x0 [0107.982] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x952f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.982] WriteFile (in: hFile=0x278, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.983] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x962f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.983] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b5a2796, dwHighDateTime=0x1d5f971)) [0107.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.983] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0107.983] GetProcessHeap () returned 0xbc0000 [0107.983] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x942f) returned 0xbf4648 [0107.983] GetSystemDefaultLangID () returned 0xbd0409 [0107.983] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.983] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x942f, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x942f, lpOverlapped=0x0) returned 1 [0107.985] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.985] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x942f, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x942f, lpOverlapped=0x0) returned 1 [0107.989] GetProcessHeap () returned 0xbc0000 [0107.989] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0107.989] CloseHandle (hObject=0x278) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea10 | out: hHeap=0x2680000) returned 1 [0107.989] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ed18 [0107.989] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\j7TftBvi.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\j7tftbvi.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\j7TftBvi.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\j7tftbvi.avi.nefilim")) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0107.989] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eef0 | out: hHeap=0x2680000) returned 1 [0107.990] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbf64f20, ftCreationTime.dwHighDateTime=0x1d5edb8, ftLastAccessTime.dwLowDateTime=0xe1644790, ftLastAccessTime.dwHighDateTime=0x1d5e962, ftLastWriteTime.dwLowDateTime=0xe1644790, ftLastWriteTime.dwHighDateTime=0x1d5e962, nFileSizeHigh=0x0, nFileSizeLow=0xb76e, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="P23gYL-yGu0sDOV7.mp4", cAlternateFileName="P23GYL~1.MP4")) returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2=".") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="..") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="...") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="windows") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="$RECYCLE.BIN") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="rsa") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="NTDETECT.COM") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="ntldr") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="MSDOS.SYS") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="IO.SYS") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="boot.ini") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="ntuser.dat") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="desktop.ini") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="CONFIG.SYS") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="RECYCLER") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="BOOTSECT.BAK") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="bootmgr") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="programdata") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="appdata") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="program files") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="program files (x86)") returned -1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="microsoft") returned 1 [0107.990] lstrcmpiW (lpString1="P23gYL-yGu0sDOV7.mp4", lpString2="sophos") returned -1 [0107.990] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268eef0 [0107.990] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee48 | out: hHeap=0x2680000) returned 1 [0107.990] PathFindExtensionW (pszPath="P23gYL-yGu0sDOV7.mp4") returned=".mp4" [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0107.990] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0107.991] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0107.991] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59045d0, ftCreationTime.dwHighDateTime=0x1d5f087, ftLastAccessTime.dwLowDateTime=0x42fca410, ftLastAccessTime.dwHighDateTime=0x1d5ee2d, ftLastWriteTime.dwLowDateTime=0x42fca410, ftLastWriteTime.dwHighDateTime=0x1d5ee2d, nFileSizeHigh=0x0, nFileSizeLow=0x15fcc, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="YQSaAOFG6UbuDjfqBee.swf", cAlternateFileName="YQSAAO~1.SWF")) returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2=".") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="..") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="...") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="windows") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="$RECYCLE.BIN") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="rsa") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="NTDETECT.COM") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="ntldr") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="MSDOS.SYS") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="IO.SYS") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="boot.ini") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="AUTOEXEC.BAT") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="ntuser.dat") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="desktop.ini") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="CONFIG.SYS") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="RECYCLER") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="BOOTSECT.BAK") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="bootmgr") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="programdata") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="appdata") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="program files") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="program files (x86)") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="microsoft") returned 1 [0107.991] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="sophos") returned 1 [0107.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ed18 [0107.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eef0 | out: hHeap=0x2680000) returned 1 [0107.991] PathFindExtensionW (pszPath="YQSaAOFG6UbuDjfqBee.swf") returned=".swf" [0107.991] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0107.991] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0107.991] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0107.992] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0107.992] lstrcmpiW (lpString1="YQSaAOFG6UbuDjfqBee.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0107.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268edd0 [0107.992] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\YQSaAOFG6UbuDjfqBee.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\yqsaaofg6ubudjfqbee.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0107.992] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=90060) returned 1 [0107.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0107.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb18 [0107.992] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0107.992] SystemFunction036 (in: RandomBuffer=0x268eb18, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb18) returned 1 [0107.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0107.992] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0107.992] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be158*=0x100) returned 1 [0107.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25be154*=0x100) returned 1 [0107.995] GetTickCount () returned 0x115c204 [0107.995] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5a8 [0107.995] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5a8 | out: hHeap=0x2680000) returned 1 [0107.995] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x15fcc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.995] SetLastError (dwErrCode=0x0) [0107.995] WriteFile (in: hFile=0x278, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.996] GetLastError () returned 0x0 [0107.996] GetLastError () returned 0x0 [0107.996] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x160cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.996] WriteFile (in: hFile=0x278, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0107.996] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x161cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.996] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b5c8a24, dwHighDateTime=0x1d5f971)) [0107.996] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0107.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0107.997] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0107.997] GetProcessHeap () returned 0xbc0000 [0107.997] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x15fcc) returned 0xbf4648 [0107.997] GetSystemDefaultLangID () returned 0xbd0409 [0107.997] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0107.997] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x15fcc, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x15fcc, lpOverlapped=0x0) returned 1 [0108.002] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.002] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x15fcc, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x15fcc, lpOverlapped=0x0) returned 1 [0108.002] GetProcessHeap () returned 0xbc0000 [0108.002] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0108.002] CloseHandle (hObject=0x278) returned 1 [0108.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0108.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0108.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb18 | out: hHeap=0x2680000) returned 1 [0108.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ee88 [0108.002] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\YQSaAOFG6UbuDjfqBee.swf" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\yqsaaofg6ubudjfqbee.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\QA60XTAA\\yqrTkSjS9saLbC_eWbG\\YQSaAOFG6UbuDjfqBee.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\qa60xtaa\\yqrtksjs9salbc_ewbg\\yqsaaofg6ubudjfqbee.swf.nefilim")) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee88 | out: hHeap=0x2680000) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edd0 | out: hHeap=0x2680000) returned 1 [0108.003] FindNextFileW (in: hFindFile=0xbe2a48, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59045d0, ftCreationTime.dwHighDateTime=0x1d5f087, ftLastAccessTime.dwLowDateTime=0x42fca410, ftLastAccessTime.dwHighDateTime=0x1d5ee2d, ftLastWriteTime.dwLowDateTime=0x42fca410, ftLastWriteTime.dwHighDateTime=0x1d5ee2d, nFileSizeHigh=0x0, nFileSizeLow=0x15fcc, dwReserved0=0x268e360, dwReserved1=0x3000000, cFileName="YQSaAOFG6UbuDjfqBee.swf", cAlternateFileName="YQSAAO~1.SWF")) returned 0 [0108.003] FindClose (in: hFindFile=0xbe2a48 | out: hFindFile=0xbe2a48) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0108.003] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa723ec20, ftCreationTime.dwHighDateTime=0x1d5e7af, ftLastAccessTime.dwLowDateTime=0x94addb10, ftLastAccessTime.dwHighDateTime=0x1d5ea51, ftLastWriteTime.dwLowDateTime=0x94addb10, ftLastWriteTime.dwHighDateTime=0x1d5ea51, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268bd90, dwReserved1=0x2000000, cFileName="yqrTkSjS9saLbC_eWbG", cAlternateFileName="YQRTKS~1")) returned 0 [0108.003] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.003] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.003] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6661eb10, ftCreationTime.dwHighDateTime=0x1d5ea89, ftLastAccessTime.dwLowDateTime=0xd573fbc0, ftLastAccessTime.dwHighDateTime=0x1d5ed12, ftLastWriteTime.dwLowDateTime=0xd573fbc0, ftLastWriteTime.dwHighDateTime=0x1d5ed12, nFileSizeHigh=0x0, nFileSizeLow=0x7b3a, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="r8b76W0gZLWxKjVo7Z.avi", cAlternateFileName="R8B76W~1.AVI")) returned 1 [0108.003] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2=".") returned 1 [0108.003] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="..") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="...") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="windows") returned -1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="$RECYCLE.BIN") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="rsa") returned -1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="NTDETECT.COM") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="ntldr") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="MSDOS.SYS") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="IO.SYS") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="boot.ini") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="AUTOEXEC.BAT") returned 1 [0108.004] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="ntuser.dat") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="desktop.ini") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="CONFIG.SYS") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="RECYCLER") returned -1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="BOOTSECT.BAK") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="bootmgr") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="programdata") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="appdata") returned 1 [0108.054] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="program files") returned 1 [0108.055] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="program files (x86)") returned 1 [0108.055] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="microsoft") returned 1 [0108.055] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="sophos") returned -1 [0108.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0108.055] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.055] PathFindExtensionW (pszPath="r8b76W0gZLWxKjVo7Z.avi") returned=".avi" [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0108.055] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0108.055] lstrcmpiW (lpString1="r8b76W0gZLWxKjVo7Z.avi", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.055] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0108.055] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\r8b76W0gZLWxKjVo7Z.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\r8b76w0gzlwxkjvo7z.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0108.056] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=31546) returned 1 [0108.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e9b0 [0108.056] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.056] SystemFunction036 (in: RandomBuffer=0x268e9b0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e9b0) returned 1 [0108.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0108.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0108.056] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be798*=0x100) returned 1 [0108.056] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be794*=0x100) returned 1 [0108.056] GetTickCount () returned 0x115c243 [0108.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0108.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0108.056] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7b3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.056] SetLastError (dwErrCode=0x0) [0108.056] WriteFile (in: hFile=0x270, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.057] GetLastError () returned 0x0 [0108.057] GetLastError () returned 0x0 [0108.057] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7c3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.057] WriteFile (in: hFile=0x270, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.057] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x7d3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.057] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b6612c5, dwHighDateTime=0x1d5f971)) [0108.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812d0 [0108.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812d0 | out: hHeap=0x2680000) returned 1 [0108.058] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0108.058] GetProcessHeap () returned 0xbc0000 [0108.058] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x7b3a) returned 0xbf2638 [0108.058] GetSystemDefaultLangID () returned 0xbd0409 [0108.058] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.058] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x7b3a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x7b3a, lpOverlapped=0x0) returned 1 [0108.059] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.059] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x7b3a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x7b3a, lpOverlapped=0x0) returned 1 [0108.060] GetProcessHeap () returned 0xbc0000 [0108.060] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0108.060] CloseHandle (hObject=0x270) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b0 | out: hHeap=0x2680000) returned 1 [0108.060] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e360 [0108.060] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\r8b76W0gZLWxKjVo7Z.avi" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\r8b76w0gzlwxkjvo7z.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\6IKfM4zP\\r8b76W0gZLWxKjVo7Z.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\6ikfm4zp\\r8b76w0gzlwxkjvo7z.avi.nefilim")) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0108.060] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.061] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6661eb10, ftCreationTime.dwHighDateTime=0x1d5ea89, ftLastAccessTime.dwLowDateTime=0xd573fbc0, ftLastAccessTime.dwHighDateTime=0x1d5ed12, ftLastWriteTime.dwLowDateTime=0xd573fbc0, ftLastWriteTime.dwHighDateTime=0x1d5ed12, nFileSizeHigh=0x0, nFileSizeLow=0x7b3a, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="r8b76W0gZLWxKjVo7Z.avi", cAlternateFileName="R8B76W~1.AVI")) returned 0 [0108.061] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0108.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0108.061] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x43f94523, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x43f94523, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x1f8, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.061] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.061] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13c6c730, ftCreationTime.dwHighDateTime=0x1d5e7ec, ftLastAccessTime.dwLowDateTime=0x47f5b770, ftLastAccessTime.dwHighDateTime=0x1d5ee8e, ftLastWriteTime.dwLowDateTime=0x47f5b770, ftLastWriteTime.dwHighDateTime=0x1d5ee8e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="g4sCv", cAlternateFileName="")) returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2=".") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="..") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="...") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="windows") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="$RECYCLE.BIN") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="rsa") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="NTDETECT.COM") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="ntldr") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="MSDOS.SYS") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="IO.SYS") returned -1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="boot.ini") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="AUTOEXEC.BAT") returned 1 [0108.061] lstrcmpiW (lpString1="g4sCv", lpString2="ntuser.dat") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="desktop.ini") returned 1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="CONFIG.SYS") returned 1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="RECYCLER") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="BOOTSECT.BAK") returned 1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="bootmgr") returned 1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="programdata") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="appdata") returned 1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="program files") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="program files (x86)") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="microsoft") returned -1 [0108.062] lstrcmpiW (lpString1="g4sCv", lpString2="sophos") returned -1 [0108.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.062] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.062] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.062] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13c6c730, ftCreationTime.dwHighDateTime=0x1d5e7ec, ftLastAccessTime.dwLowDateTime=0x47f5b770, ftLastAccessTime.dwHighDateTime=0x1d5ee8e, ftLastWriteTime.dwLowDateTime=0x47f5b770, ftLastWriteTime.dwHighDateTime=0x1d5ee8e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0108.062] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.062] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x13c6c730, ftCreationTime.dwHighDateTime=0x1d5e7ec, ftLastAccessTime.dwLowDateTime=0x47f5b770, ftLastAccessTime.dwHighDateTime=0x1d5ee8e, ftLastWriteTime.dwLowDateTime=0x47f5b770, ftLastWriteTime.dwHighDateTime=0x1d5ee8e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="..", cAlternateFileName="")) returned 1 [0108.062] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.062] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.062] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5065b6e0, ftCreationTime.dwHighDateTime=0x1d5e690, ftLastAccessTime.dwLowDateTime=0x899bd0b0, ftLastAccessTime.dwHighDateTime=0x1d5ef06, ftLastWriteTime.dwLowDateTime=0x899bd0b0, ftLastWriteTime.dwHighDateTime=0x1d5ef06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="GGJLC9dTQjwRA", cAlternateFileName="GGJLC9~1")) returned 1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2=".") returned 1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="..") returned 1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="...") returned 1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="windows") returned -1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="$RECYCLE.BIN") returned 1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="rsa") returned -1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="NTDETECT.COM") returned -1 [0108.062] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="ntldr") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="MSDOS.SYS") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="IO.SYS") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="boot.ini") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="AUTOEXEC.BAT") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="ntuser.dat") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="desktop.ini") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="CONFIG.SYS") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="RECYCLER") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="BOOTSECT.BAK") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="bootmgr") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="programdata") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="appdata") returned 1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="program files") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="program files (x86)") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="microsoft") returned -1 [0108.063] lstrcmpiW (lpString1="GGJLC9dTQjwRA", lpString2="sophos") returned -1 [0108.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680510 [0108.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0108.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0108.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0108.063] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5065b6e0, ftCreationTime.dwHighDateTime=0x1d5e690, ftLastAccessTime.dwLowDateTime=0x899bd0b0, ftLastAccessTime.dwHighDateTime=0x1d5ef06, ftLastWriteTime.dwLowDateTime=0x899bd0b0, ftLastWriteTime.dwHighDateTime=0x1d5ef06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0108.063] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.063] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x5065b6e0, ftCreationTime.dwHighDateTime=0x1d5e690, ftLastAccessTime.dwLowDateTime=0x899bd0b0, ftLastAccessTime.dwHighDateTime=0x1d5ef06, ftLastWriteTime.dwLowDateTime=0x899bd0b0, ftLastWriteTime.dwHighDateTime=0x1d5ef06, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.063] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.063] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.063] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe8500e30, ftCreationTime.dwHighDateTime=0x1d5e94a, ftLastAccessTime.dwLowDateTime=0xa57917e0, ftLastAccessTime.dwHighDateTime=0x1d5e626, ftLastWriteTime.dwLowDateTime=0xa57917e0, ftLastWriteTime.dwHighDateTime=0x1d5e626, nFileSizeHigh=0x0, nFileSizeLow=0x12f34, dwReserved0=0x0, dwReserved1=0x0, cFileName="4v9txv-8T1unQ 7bs.swf", cAlternateFileName="4V9TXV~1.SWF")) returned 1 [0108.063] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2=".") returned 1 [0108.063] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="..") returned 1 [0108.063] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="...") returned 1 [0108.063] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="windows") returned -1 [0108.063] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="rsa") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="NTDETECT.COM") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="ntldr") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="MSDOS.SYS") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="IO.SYS") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="boot.ini") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="AUTOEXEC.BAT") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="ntuser.dat") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="desktop.ini") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="CONFIG.SYS") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="RECYCLER") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="BOOTSECT.BAK") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="bootmgr") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="programdata") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="appdata") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="program files") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="program files (x86)") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="microsoft") returned -1 [0108.064] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="sophos") returned -1 [0108.064] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bdf8 [0108.064] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.064] PathFindExtensionW (pszPath="4v9txv-8T1unQ 7bs.swf") returned=".swf" [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.064] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.065] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.065] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.065] lstrcmpiW (lpString1="4v9txv-8T1unQ 7bs.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec08 [0108.065] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\4v9txv-8T1unQ 7bs.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\4v9txv-8t1unq 7bs.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0108.065] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=77620) returned 1 [0108.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e998 [0108.065] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.065] SystemFunction036 (in: RandomBuffer=0x268e998, RandomBufferLength=0x10 | out: RandomBuffer=0x268e998) returned 1 [0108.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3200 [0108.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0108.065] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3200*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3200*, pdwDataLen=0x25be478*=0x100) returned 1 [0108.065] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x100) returned 1 [0108.066] GetTickCount () returned 0x115c243 [0108.066] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0108.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0108.066] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x12f34, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.066] SetLastError (dwErrCode=0x0) [0108.066] WriteFile (in: hFile=0x274, lpBuffer=0x29d3200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3200*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.067] GetLastError () returned 0x0 [0108.067] GetLastError () returned 0x0 [0108.067] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13034, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.067] WriteFile (in: hFile=0x274, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.067] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x13134, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.067] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b6873ec, dwHighDateTime=0x1d5f971)) [0108.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.067] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0108.067] GetProcessHeap () returned 0xbc0000 [0108.067] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12f34) returned 0xbf3640 [0108.067] GetSystemDefaultLangID () returned 0xbd0409 [0108.068] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.068] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x12f34, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x12f34, lpOverlapped=0x0) returned 1 [0108.071] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.071] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x12f34, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x12f34, lpOverlapped=0x0) returned 1 [0108.072] GetProcessHeap () returned 0xbc0000 [0108.072] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0108.072] CloseHandle (hObject=0x274) returned 1 [0108.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3200 | out: hHeap=0x2680000) returned 1 [0108.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0108.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e998 | out: hHeap=0x2680000) returned 1 [0108.072] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268eca0 [0108.072] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\4v9txv-8T1unQ 7bs.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\4v9txv-8t1unq 7bs.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\4v9txv-8T1unQ 7bs.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\4v9txv-8t1unq 7bs.swf.nefilim")) returned 1 [0108.072] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eca0 | out: hHeap=0x2680000) returned 1 [0108.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0108.073] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x666caca0, ftCreationTime.dwHighDateTime=0x1d5e28a, ftLastAccessTime.dwLowDateTime=0x4588380, ftLastAccessTime.dwHighDateTime=0x1d5f113, ftLastWriteTime.dwLowDateTime=0x4588380, ftLastWriteTime.dwHighDateTime=0x1d5f113, nFileSizeHigh=0x0, nFileSizeLow=0x184b4, dwReserved0=0x0, dwReserved1=0x0, cFileName="BEHwI74XOr.swf", cAlternateFileName="BEHWI7~1.SWF")) returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2=".") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="..") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="...") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="windows") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="rsa") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="NTDETECT.COM") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="ntldr") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="MSDOS.SYS") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="IO.SYS") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="boot.ini") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="ntuser.dat") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="desktop.ini") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="CONFIG.SYS") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="RECYCLER") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="BOOTSECT.BAK") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="bootmgr") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="programdata") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="appdata") returned 1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="program files") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="program files (x86)") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="microsoft") returned -1 [0108.073] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="sophos") returned -1 [0108.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0108.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.073] PathFindExtensionW (pszPath="BEHwI74XOr.swf") returned=".swf" [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.073] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.074] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.074] lstrcmpiW (lpString1="BEHwI74XOr.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0108.074] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\BEHwI74XOr.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\behwi74xor.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0108.074] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=99508) returned 1 [0108.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e890 [0108.074] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.074] SystemFunction036 (in: RandomBuffer=0x268e890, RandomBufferLength=0x10 | out: RandomBuffer=0x268e890) returned 1 [0108.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0108.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0108.074] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25be478*=0x100) returned 1 [0108.076] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be474*=0x100) returned 1 [0108.077] GetTickCount () returned 0x115c252 [0108.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0108.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0108.077] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x184b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.077] SetLastError (dwErrCode=0x0) [0108.077] WriteFile (in: hFile=0x274, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.078] GetLastError () returned 0x0 [0108.078] GetLastError () returned 0x0 [0108.078] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x185b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.078] WriteFile (in: hFile=0x274, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.078] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x186b4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.078] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b6873ec, dwHighDateTime=0x1d5f971)) [0108.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.079] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.079] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0108.079] GetProcessHeap () returned 0xbc0000 [0108.079] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x184b4) returned 0xbf3640 [0108.079] GetSystemDefaultLangID () returned 0xbd0409 [0108.079] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.079] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x184b4, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x184b4, lpOverlapped=0x0) returned 1 [0108.085] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.085] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x184b4, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x184b4, lpOverlapped=0x0) returned 1 [0108.085] GetProcessHeap () returned 0xbc0000 [0108.085] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0108.085] CloseHandle (hObject=0x274) returned 1 [0108.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0108.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0108.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.085] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e890 | out: hHeap=0x2680000) returned 1 [0108.085] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268be18 [0108.085] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\BEHwI74XOr.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\behwi74xor.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\BEHwI74XOr.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\behwi74xor.swf.nefilim")) returned 1 [0108.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be18 | out: hHeap=0x2680000) returned 1 [0108.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.086] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x93dcd150, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0xfaaed910, ftLastAccessTime.dwHighDateTime=0x1d5eb0e, ftLastWriteTime.dwLowDateTime=0xfaaed910, ftLastWriteTime.dwHighDateTime=0x1d5eb0e, nFileSizeHigh=0x0, nFileSizeLow=0xb70f, dwReserved0=0x0, dwReserved1=0x0, cFileName="CyY3tSty.avi", cAlternateFileName="")) returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2=".") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="..") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="...") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="windows") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="$RECYCLE.BIN") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="rsa") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="NTDETECT.COM") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="ntldr") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="MSDOS.SYS") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="IO.SYS") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="boot.ini") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="AUTOEXEC.BAT") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="ntuser.dat") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="desktop.ini") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="CONFIG.SYS") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="RECYCLER") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="BOOTSECT.BAK") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="bootmgr") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="programdata") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="appdata") returned 1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="program files") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="program files (x86)") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="microsoft") returned -1 [0108.086] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="sophos") returned -1 [0108.086] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0108.086] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0108.087] PathFindExtensionW (pszPath="CyY3tSty.avi") returned=".avi" [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0108.087] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0108.087] lstrcmpiW (lpString1="CyY3tSty.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0108.087] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\CyY3tSty.avi" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\cyy3tsty.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0108.087] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=46863) returned 1 [0108.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e950 [0108.087] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.087] SystemFunction036 (in: RandomBuffer=0x268e950, RandomBufferLength=0x10 | out: RandomBuffer=0x268e950) returned 1 [0108.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0108.087] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0108.087] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be478*=0x100) returned 1 [0108.088] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be474*=0x100) returned 1 [0108.089] GetTickCount () returned 0x115c262 [0108.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0108.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0108.089] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb70f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.089] SetLastError (dwErrCode=0x0) [0108.089] WriteFile (in: hFile=0x274, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.090] GetLastError () returned 0x0 [0108.090] GetLastError () returned 0x0 [0108.090] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb80f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.090] WriteFile (in: hFile=0x274, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0108.090] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xb90f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.090] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3b6ad820, dwHighDateTime=0x1d5f971)) [0108.090] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0108.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0108.090] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0108.091] GetProcessHeap () returned 0xbc0000 [0108.091] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xb70f) returned 0xbf3640 [0108.092] GetSystemDefaultLangID () returned 0xbd0409 [0108.092] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.092] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0xb70f, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0xb70f, lpOverlapped=0x0) returned 1 [0108.094] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.095] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0xb70f, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0xb70f, lpOverlapped=0x0) returned 1 [0108.095] GetProcessHeap () returned 0xbc0000 [0108.095] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0108.095] CloseHandle (hObject=0x274) returned 1 [0108.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0108.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0108.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e950 | out: hHeap=0x2680000) returned 1 [0108.095] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0108.095] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\CyY3tSty.avi" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\cyy3tsty.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\CyY3tSty.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\cyy3tsty.avi.nefilim")) returned 1 [0108.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0108.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0108.096] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd579c6d0, ftCreationTime.dwHighDateTime=0x1d5f0f1, ftLastAccessTime.dwLowDateTime=0xfff21a00, ftLastAccessTime.dwHighDateTime=0x1d5edce, ftLastWriteTime.dwLowDateTime=0xfff21a00, ftLastWriteTime.dwHighDateTime=0x1d5edce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OsuaxPuP PzOnAZWV", cAlternateFileName="OSUAXP~1")) returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2=".") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="..") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="...") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="windows") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="$RECYCLE.BIN") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="rsa") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="NTDETECT.COM") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="ntldr") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="MSDOS.SYS") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="IO.SYS") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="boot.ini") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="AUTOEXEC.BAT") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="ntuser.dat") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="desktop.ini") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="CONFIG.SYS") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="RECYCLER") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="BOOTSECT.BAK") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="bootmgr") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="programdata") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="appdata") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="program files") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="program files (x86)") returned -1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="microsoft") returned 1 [0108.096] lstrcmpiW (lpString1="OsuaxPuP PzOnAZWV", lpString2="sophos") returned -1 [0108.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0108.096] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0108.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec90 [0108.096] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ed18 [0108.096] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\*.*", lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd579c6d0, ftCreationTime.dwHighDateTime=0x1d5f0f1, ftLastAccessTime.dwLowDateTime=0xfff21a00, ftLastAccessTime.dwHighDateTime=0x1d5edce, ftLastWriteTime.dwLowDateTime=0xfff21a00, ftLastWriteTime.dwHighDateTime=0x1d5edce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0108.097] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.097] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd579c6d0, ftCreationTime.dwHighDateTime=0x1d5f0f1, ftLastAccessTime.dwLowDateTime=0xfff21a00, ftLastAccessTime.dwHighDateTime=0x1d5edce, ftLastWriteTime.dwLowDateTime=0xfff21a00, ftLastWriteTime.dwHighDateTime=0x1d5edce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="..", cAlternateFileName="")) returned 1 [0108.097] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.097] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.097] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1219dc90, ftCreationTime.dwHighDateTime=0x1d5ee65, ftLastAccessTime.dwLowDateTime=0x1700bde0, ftLastAccessTime.dwHighDateTime=0x1d5ea9c, ftLastWriteTime.dwLowDateTime=0x1700bde0, ftLastWriteTime.dwHighDateTime=0x1d5ea9c, nFileSizeHigh=0x0, nFileSizeLow=0x8e0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="9qrc9wg_zC6MFHVhO.mp4", cAlternateFileName="9QRC9W~1.MP4")) returned 1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2=".") returned 1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="..") returned 1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="...") returned 1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="windows") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="$RECYCLE.BIN") returned 1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="rsa") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="NTDETECT.COM") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="ntldr") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="MSDOS.SYS") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="IO.SYS") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="boot.ini") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="AUTOEXEC.BAT") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="ntuser.dat") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="desktop.ini") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="CONFIG.SYS") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="RECYCLER") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="BOOTSECT.BAK") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="bootmgr") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="programdata") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="appdata") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="program files") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="program files (x86)") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="microsoft") returned -1 [0108.097] lstrcmpiW (lpString1="9qrc9wg_zC6MFHVhO.mp4", lpString2="sophos") returned -1 [0108.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268edb0 [0108.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.097] PathFindExtensionW (pszPath="9qrc9wg_zC6MFHVhO.mp4") returned=".mp4" [0108.098] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0108.147] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0108.147] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42f484b0, ftCreationTime.dwHighDateTime=0x1d5e590, ftLastAccessTime.dwLowDateTime=0x32322070, ftLastAccessTime.dwHighDateTime=0x1d5e819, ftLastWriteTime.dwLowDateTime=0x32322070, ftLastWriteTime.dwHighDateTime=0x1d5e819, nFileSizeHigh=0x0, nFileSizeLow=0x89c9, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="GXmzdZt7JNZ.avi", cAlternateFileName="GXMZDZ~1.AVI")) returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2=".") returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="..") returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="...") returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="windows") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="$RECYCLE.BIN") returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="rsa") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="NTDETECT.COM") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="ntldr") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="MSDOS.SYS") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="IO.SYS") returned -1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="boot.ini") returned 1 [0108.147] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="AUTOEXEC.BAT") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="ntuser.dat") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="desktop.ini") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="CONFIG.SYS") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="RECYCLER") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="BOOTSECT.BAK") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="bootmgr") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="programdata") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="appdata") returned 1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="program files") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="program files (x86)") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="microsoft") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="sophos") returned -1 [0108.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ee68 [0108.148] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edb0 | out: hHeap=0x2680000) returned 1 [0108.148] PathFindExtensionW (pszPath="GXmzdZt7JNZ.avi") returned=".avi" [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".exe") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".log") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".cab") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".cmd") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".com") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".cpl") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".ini") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".dll") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".url") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".ttf") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".mp3") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".pif") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".mp4") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".NEFILIM") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".msi") returned -1 [0108.148] lstrcmpiW (lpString1=".avi", lpString2=".lnk") returned -1 [0108.148] lstrcmpiW (lpString1="GXmzdZt7JNZ.avi", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.148] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ef10 [0108.148] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\GXmzdZt7JNZ.avi" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\gxmzdzt7jnz.avi"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0108.149] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=35273) returned 1 [0108.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ea40 [0108.149] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.149] SystemFunction036 (in: RandomBuffer=0x268ea40, RandomBufferLength=0x10 | out: RandomBuffer=0x268ea40) returned 1 [0108.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0108.149] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0108.149] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be158*=0x100) returned 1 [0108.149] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be154*=0x100) returned 1 [0108.150] GetTickCount () returned 0x115c2a0 [0108.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0108.150] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0108.150] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x89c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.150] SetLastError (dwErrCode=0x0) [0108.150] WriteFile (in: hFile=0x278, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.151] GetLastError () returned 0x0 [0108.151] GetLastError () returned 0x0 [0108.151] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x8ac9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.151] WriteFile (in: hFile=0x278, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.151] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x8bc9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.151] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b745f0d, dwHighDateTime=0x1d5f971)) [0108.151] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.151] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0108.151] GetProcessHeap () returned 0xbc0000 [0108.151] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x89c9) returned 0xbf4648 [0108.151] GetSystemDefaultLangID () returned 0xbd0409 [0108.151] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.151] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x89c9, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x89c9, lpOverlapped=0x0) returned 1 [0108.153] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.153] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x89c9, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x89c9, lpOverlapped=0x0) returned 1 [0108.153] GetProcessHeap () returned 0xbc0000 [0108.153] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0108.154] CloseHandle (hObject=0x278) returned 1 [0108.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0108.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0108.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.154] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea40 | out: hHeap=0x2680000) returned 1 [0108.154] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ed18 [0108.155] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\GXmzdZt7JNZ.avi" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\gxmzdzt7jnz.avi"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\GXmzdZt7JNZ.avi.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\gxmzdzt7jnz.avi.nefilim")) returned 1 [0108.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.155] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd77c0ff0, ftCreationTime.dwHighDateTime=0x1d5e7b0, ftLastAccessTime.dwLowDateTime=0xac769e20, ftLastAccessTime.dwHighDateTime=0x1d5e363, ftLastWriteTime.dwLowDateTime=0xac769e20, ftLastWriteTime.dwHighDateTime=0x1d5e363, nFileSizeHigh=0x0, nFileSizeLow=0xd431, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="i0SY 45gYIt.swf", cAlternateFileName="I0SY45~1.SWF")) returned 1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2=".") returned 1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="..") returned 1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="...") returned 1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="windows") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="rsa") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="NTDETECT.COM") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="ntldr") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="MSDOS.SYS") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="IO.SYS") returned -1 [0108.155] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="boot.ini") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="ntuser.dat") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="desktop.ini") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="CONFIG.SYS") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="RECYCLER") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="BOOTSECT.BAK") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="bootmgr") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="programdata") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="appdata") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="program files") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="program files (x86)") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="microsoft") returned -1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="sophos") returned -1 [0108.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ef10 [0108.156] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee68 | out: hHeap=0x2680000) returned 1 [0108.156] PathFindExtensionW (pszPath="i0SY 45gYIt.swf") returned=".swf" [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.156] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.156] lstrcmpiW (lpString1="i0SY 45gYIt.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.156] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ed18 [0108.156] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\i0SY 45gYIt.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\i0sy 45gyit.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0108.157] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=54321) returned 1 [0108.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e9f8 [0108.157] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.157] SystemFunction036 (in: RandomBuffer=0x268e9f8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e9f8) returned 1 [0108.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0108.157] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0108.157] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be158*=0x100) returned 1 [0108.158] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be154*=0x100) returned 1 [0108.159] GetTickCount () returned 0x115c2a0 [0108.159] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0108.159] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0108.159] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd431, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.159] SetLastError (dwErrCode=0x0) [0108.159] WriteFile (in: hFile=0x278, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.160] GetLastError () returned 0x0 [0108.160] GetLastError () returned 0x0 [0108.160] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd531, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.160] WriteFile (in: hFile=0x278, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.160] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd631, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.160] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b745f0d, dwHighDateTime=0x1d5f971)) [0108.160] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.160] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.160] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0108.160] GetProcessHeap () returned 0xbc0000 [0108.160] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd431) returned 0xbf4648 [0108.160] GetSystemDefaultLangID () returned 0xbd0409 [0108.160] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.160] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0xd431, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0xd431, lpOverlapped=0x0) returned 1 [0108.163] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.163] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0xd431, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0xd431, lpOverlapped=0x0) returned 1 [0108.164] GetProcessHeap () returned 0xbc0000 [0108.164] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0108.164] CloseHandle (hObject=0x278) returned 1 [0108.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0108.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0108.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9f8 | out: hHeap=0x2680000) returned 1 [0108.164] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268edc0 [0108.164] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\i0SY 45gYIt.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\i0sy 45gyit.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\i0SY 45gYIt.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\i0sy 45gyit.swf.nefilim")) returned 1 [0108.164] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edc0 | out: hHeap=0x2680000) returned 1 [0108.165] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.165] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x890c2150, ftCreationTime.dwHighDateTime=0x1d5e104, ftLastAccessTime.dwLowDateTime=0x1d293630, ftLastAccessTime.dwHighDateTime=0x1d5e47e, ftLastWriteTime.dwLowDateTime=0x1d293630, ftLastWriteTime.dwHighDateTime=0x1d5e47e, nFileSizeHigh=0x0, nFileSizeLow=0xd2b5, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="ik_DuKrwQ-b5CJ3V.mkv", cAlternateFileName="IK_DUK~1.MKV")) returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2=".") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="..") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="...") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="windows") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="$RECYCLE.BIN") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="rsa") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="NTDETECT.COM") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="ntldr") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="MSDOS.SYS") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="IO.SYS") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="boot.ini") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="ntuser.dat") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="desktop.ini") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="CONFIG.SYS") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="RECYCLER") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="BOOTSECT.BAK") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="bootmgr") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="programdata") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="appdata") returned 1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="program files") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="program files (x86)") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="microsoft") returned -1 [0108.165] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="sophos") returned -1 [0108.165] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ed18 [0108.165] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.165] PathFindExtensionW (pszPath="ik_DuKrwQ-b5CJ3V.mkv") returned=".mkv" [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0108.165] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0108.166] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0108.166] lstrcmpiW (lpString1="ik_DuKrwQ-b5CJ3V.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268edd0 [0108.166] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\ik_DuKrwQ-b5CJ3V.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\ik_dukrwq-b5cj3v.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0108.166] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=53941) returned 1 [0108.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e8c0 [0108.166] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.166] SystemFunction036 (in: RandomBuffer=0x268e8c0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e8c0) returned 1 [0108.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0108.166] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2288 [0108.166] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25be158*=0x100) returned 1 [0108.166] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2288*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d2288*, pdwDataLen=0x25be154*=0x100) returned 1 [0108.167] GetTickCount () returned 0x115c2b0 [0108.167] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e570 [0108.167] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e570 | out: hHeap=0x2680000) returned 1 [0108.167] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd2b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.167] SetLastError (dwErrCode=0x0) [0108.167] WriteFile (in: hFile=0x278, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.168] GetLastError () returned 0x0 [0108.168] GetLastError () returned 0x0 [0108.168] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd3b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.168] WriteFile (in: hFile=0x278, lpBuffer=0x29d2288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d2288*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.168] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0xd4b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.168] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b76c195, dwHighDateTime=0x1d5f971)) [0108.168] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.168] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.168] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0108.168] GetProcessHeap () returned 0xbc0000 [0108.168] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd2b5) returned 0xbf4648 [0108.168] GetSystemDefaultLangID () returned 0xbd0409 [0108.168] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.168] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0xd2b5, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0xd2b5, lpOverlapped=0x0) returned 1 [0108.171] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.171] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0xd2b5, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0xd2b5, lpOverlapped=0x0) returned 1 [0108.171] GetProcessHeap () returned 0xbc0000 [0108.171] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0108.172] CloseHandle (hObject=0x278) returned 1 [0108.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0108.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2288 | out: hHeap=0x2680000) returned 1 [0108.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.172] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e8c0 | out: hHeap=0x2680000) returned 1 [0108.172] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ee88 [0108.173] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\ik_DuKrwQ-b5CJ3V.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\ik_dukrwq-b5cj3v.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\ik_DuKrwQ-b5CJ3V.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\ik_dukrwq-b5cj3v.mkv.nefilim")) returned 1 [0108.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee88 | out: hHeap=0x2680000) returned 1 [0108.173] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edd0 | out: hHeap=0x2680000) returned 1 [0108.173] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8279b160, ftCreationTime.dwHighDateTime=0x1d5efda, ftLastAccessTime.dwLowDateTime=0x722e5390, ftLastAccessTime.dwHighDateTime=0x1d5e299, ftLastWriteTime.dwLowDateTime=0x722e5390, ftLastWriteTime.dwHighDateTime=0x1d5e299, nFileSizeHigh=0x0, nFileSizeLow=0x172a4, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="k6kBYHvmx4.mp4", cAlternateFileName="K6KBYH~1.MP4")) returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2=".") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="..") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="...") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="windows") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="$RECYCLE.BIN") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="rsa") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="NTDETECT.COM") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="ntldr") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="MSDOS.SYS") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="IO.SYS") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="boot.ini") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="AUTOEXEC.BAT") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="ntuser.dat") returned -1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="desktop.ini") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="CONFIG.SYS") returned 1 [0108.173] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="RECYCLER") returned -1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="BOOTSECT.BAK") returned 1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="bootmgr") returned 1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="programdata") returned -1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="appdata") returned 1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="program files") returned -1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="program files (x86)") returned -1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="microsoft") returned -1 [0108.174] lstrcmpiW (lpString1="k6kBYHvmx4.mp4", lpString2="sophos") returned -1 [0108.174] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268edd0 [0108.174] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.174] PathFindExtensionW (pszPath="k6kBYHvmx4.mp4") returned=".mp4" [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".exe") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".log") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".cab") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".cmd") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".com") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".cpl") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".ini") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".dll") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".url") returned -1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".ttf") returned -1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".mp3") returned 1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".pif") returned -1 [0108.174] lstrcmpiW (lpString1=".mp4", lpString2=".mp4") returned 0 [0108.174] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8541db0, ftCreationTime.dwHighDateTime=0x1d5e9f1, ftLastAccessTime.dwLowDateTime=0xbfc1d300, ftLastAccessTime.dwHighDateTime=0x1d5e4b2, ftLastWriteTime.dwLowDateTime=0xbfc1d300, ftLastWriteTime.dwHighDateTime=0x1d5e4b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="L7s_QHRJJNNxL", cAlternateFileName="L7S_QH~1")) returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2=".") returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="..") returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="...") returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="windows") returned -1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="$RECYCLE.BIN") returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="rsa") returned -1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="NTDETECT.COM") returned -1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="ntldr") returned -1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="MSDOS.SYS") returned -1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="IO.SYS") returned 1 [0108.174] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="boot.ini") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="AUTOEXEC.BAT") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="ntuser.dat") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="desktop.ini") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="CONFIG.SYS") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="RECYCLER") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="BOOTSECT.BAK") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="bootmgr") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="programdata") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="appdata") returned 1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="program files") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="program files (x86)") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="microsoft") returned -1 [0108.175] lstrcmpiW (lpString1="L7s_QHRJJNNxL", lpString2="sophos") returned -1 [0108.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ed18 [0108.175] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edd0 | out: hHeap=0x2680000) returned 1 [0108.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268edc0 [0108.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ee68 [0108.175] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ef10 [0108.175] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\*.*", lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8541db0, ftCreationTime.dwHighDateTime=0x1d5e9f1, ftLastAccessTime.dwLowDateTime=0xbfc1d300, ftLastAccessTime.dwHighDateTime=0x1d5e4b2, ftLastWriteTime.dwLowDateTime=0xbfc1d300, ftLastWriteTime.dwHighDateTime=0x1d5e4b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0108.175] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.175] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf8541db0, ftCreationTime.dwHighDateTime=0x1d5e9f1, ftLastAccessTime.dwLowDateTime=0xbfc1d300, ftLastAccessTime.dwHighDateTime=0x1d5e4b2, ftLastWriteTime.dwLowDateTime=0xbfc1d300, ftLastWriteTime.dwHighDateTime=0x1d5e4b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.177] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.177] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.177] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2cf0370, ftCreationTime.dwHighDateTime=0x1d5e50f, ftLastAccessTime.dwLowDateTime=0xaebec310, ftLastAccessTime.dwHighDateTime=0x1d5e458, ftLastWriteTime.dwLowDateTime=0xaebec310, ftLastWriteTime.dwHighDateTime=0x1d5e458, nFileSizeHigh=0x0, nFileSizeLow=0xc74d, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="-vDxrSvbrUq.flv", cAlternateFileName="-VDXRS~1.FLV")) returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2=".") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="..") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="...") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="windows") returned -1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="$RECYCLE.BIN") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="rsa") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="NTDETECT.COM") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="ntldr") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="MSDOS.SYS") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="IO.SYS") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="boot.ini") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="AUTOEXEC.BAT") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="ntuser.dat") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="desktop.ini") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="CONFIG.SYS") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="RECYCLER") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="BOOTSECT.BAK") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="bootmgr") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="programdata") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="appdata") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="program files") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="program files (x86)") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="microsoft") returned 1 [0108.177] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="sophos") returned 1 [0108.177] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4058 [0108.177] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.177] PathFindExtensionW (pszPath="-vDxrSvbrUq.flv") returned=".flv" [0108.177] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0108.177] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0108.177] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0108.177] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0108.177] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0108.178] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0108.178] lstrcmpiW (lpString1="-vDxrSvbrUq.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ef10 [0108.178] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\-vDxrSvbrUq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\-vdxrsvbruq.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0108.178] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x25bde78 | out: lpFileSize=0x25bde78*=51021) returned 1 [0108.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb90 [0108.178] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.178] SystemFunction036 (in: RandomBuffer=0x268eb90, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb90) returned 1 [0108.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0108.178] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0108.178] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25bde38*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25bde38*=0x100) returned 1 [0108.180] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25bde34*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25bde34*=0x100) returned 1 [0108.181] GetTickCount () returned 0x115c2c0 [0108.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0108.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0108.181] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xc74d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.181] SetLastError (dwErrCode=0x0) [0108.181] WriteFile (in: hFile=0x27c, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.182] GetLastError () returned 0x0 [0108.182] GetLastError () returned 0x0 [0108.182] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xc84d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.182] WriteFile (in: hFile=0x27c, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.182] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0xc94d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.182] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bde4c | out: lpSystemTimeAsFileTime=0x25bde4c*(dwLowDateTime=0x3b79259d, dwHighDateTime=0x1d5f971)) [0108.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.183] WriteFile (in: hFile=0x27c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bde90*=0x7, lpOverlapped=0x0) returned 1 [0108.183] GetProcessHeap () returned 0xbc0000 [0108.183] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xc74d) returned 0xbf5650 [0108.183] GetSystemDefaultLangID () returned 0xbd0409 [0108.183] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.183] ReadFile (in: hFile=0x27c, lpBuffer=0xbf5650, nNumberOfBytesToRead=0xc74d, lpNumberOfBytesRead=0x25bde9c, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesRead=0x25bde9c*=0xc74d, lpOverlapped=0x0) returned 1 [0108.185] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.185] WriteFile (in: hFile=0x27c, lpBuffer=0xbf5650*, nNumberOfBytesToWrite=0xc74d, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesWritten=0x25bde90*=0xc74d, lpOverlapped=0x0) returned 1 [0108.186] GetProcessHeap () returned 0xbc0000 [0108.186] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf5650 | out: hHeap=0xbc0000) returned 1 [0108.186] CloseHandle (hObject=0x27c) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb90 | out: hHeap=0x2680000) returned 1 [0108.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x29d4120 [0108.186] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\-vDxrSvbrUq.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\-vdxrsvbruq.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\-vDxrSvbrUq.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\-vdxrsvbruq.flv.nefilim")) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4120 | out: hHeap=0x2680000) returned 1 [0108.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.187] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72a7a4f0, ftCreationTime.dwHighDateTime=0x1d5ed9f, ftLastAccessTime.dwLowDateTime=0x4f636c40, ftLastAccessTime.dwHighDateTime=0x1d5e647, ftLastWriteTime.dwLowDateTime=0x4f636c40, ftLastWriteTime.dwHighDateTime=0x1d5e647, nFileSizeHigh=0x0, nFileSizeLow=0x18aa0, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="03m9WMJ_eZ4hsT.mkv", cAlternateFileName="03M9WM~1.MKV")) returned 1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2=".") returned 1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="..") returned 1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="...") returned 1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="windows") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="$RECYCLE.BIN") returned 1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="rsa") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="NTDETECT.COM") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="ntldr") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="MSDOS.SYS") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="IO.SYS") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="boot.ini") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="AUTOEXEC.BAT") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="ntuser.dat") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="desktop.ini") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="CONFIG.SYS") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="RECYCLER") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="BOOTSECT.BAK") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="bootmgr") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="programdata") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="appdata") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="program files") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="program files (x86)") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="microsoft") returned -1 [0108.187] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="sophos") returned -1 [0108.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ef10 [0108.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.187] PathFindExtensionW (pszPath="03m9WMJ_eZ4hsT.mkv") returned=".mkv" [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0108.187] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0108.188] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0108.188] lstrcmpiW (lpString1="03m9WMJ_eZ4hsT.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4058 [0108.188] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\03m9WMJ_eZ4hsT.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\03m9wmj_ez4hst.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0108.188] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x25bde78 | out: lpFileSize=0x25bde78*=101024) returned 1 [0108.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e9b0 [0108.188] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.188] SystemFunction036 (in: RandomBuffer=0x268e9b0, RandomBufferLength=0x10 | out: RandomBuffer=0x268e9b0) returned 1 [0108.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0108.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0108.188] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25bde38*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25bde38*=0x100) returned 1 [0108.188] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25bde34*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25bde34*=0x100) returned 1 [0108.189] GetTickCount () returned 0x115c2c0 [0108.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4c8 [0108.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4c8 | out: hHeap=0x2680000) returned 1 [0108.189] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x18aa0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.189] SetLastError (dwErrCode=0x0) [0108.189] WriteFile (in: hFile=0x27c, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.190] GetLastError () returned 0x0 [0108.190] GetLastError () returned 0x0 [0108.190] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x18ba0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.190] WriteFile (in: hFile=0x27c, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.190] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x18ca0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.190] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bde4c | out: lpSystemTimeAsFileTime=0x25bde4c*(dwLowDateTime=0x3b79259d, dwHighDateTime=0x1d5f971)) [0108.190] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.190] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.190] WriteFile (in: hFile=0x27c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bde90*=0x7, lpOverlapped=0x0) returned 1 [0108.190] GetProcessHeap () returned 0xbc0000 [0108.190] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x18aa0) returned 0xbf5650 [0108.190] GetSystemDefaultLangID () returned 0xbd0409 [0108.190] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.190] ReadFile (in: hFile=0x27c, lpBuffer=0xbf5650, nNumberOfBytesToRead=0x18aa0, lpNumberOfBytesRead=0x25bde9c, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesRead=0x25bde9c*=0x18aa0, lpOverlapped=0x0) returned 1 [0108.247] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.247] WriteFile (in: hFile=0x27c, lpBuffer=0xbf5650*, nNumberOfBytesToWrite=0x18aa0, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesWritten=0x25bde90*=0x18aa0, lpOverlapped=0x0) returned 1 [0108.247] GetProcessHeap () returned 0xbc0000 [0108.247] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf5650 | out: hHeap=0xbc0000) returned 1 [0108.247] CloseHandle (hObject=0x27c) returned 1 [0108.247] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0108.247] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0108.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9b0 | out: hHeap=0x2680000) returned 1 [0108.248] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x29d4120 [0108.248] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\03m9WMJ_eZ4hsT.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\03m9wmj_ez4hst.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\03m9WMJ_eZ4hsT.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\03m9wmj_ez4hst.mkv.nefilim")) returned 1 [0108.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4120 | out: hHeap=0x2680000) returned 1 [0108.248] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.248] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x805150f0, ftCreationTime.dwHighDateTime=0x1d5ed5a, ftLastAccessTime.dwLowDateTime=0x60641e00, ftLastAccessTime.dwHighDateTime=0x1d5e5ab, ftLastWriteTime.dwLowDateTime=0x60641e00, ftLastWriteTime.dwHighDateTime=0x1d5e5ab, nFileSizeHigh=0x0, nFileSizeLow=0x3ec9, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="LYyB4xoNLNU.mkv", cAlternateFileName="LYYB4X~1.MKV")) returned 1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2=".") returned 1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="..") returned 1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="...") returned 1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="windows") returned -1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="$RECYCLE.BIN") returned 1 [0108.248] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="rsa") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="NTDETECT.COM") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="ntldr") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="MSDOS.SYS") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="IO.SYS") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="boot.ini") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="ntuser.dat") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="desktop.ini") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="CONFIG.SYS") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="RECYCLER") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="BOOTSECT.BAK") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="bootmgr") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="programdata") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="appdata") returned 1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="program files") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="program files (x86)") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="microsoft") returned -1 [0108.249] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="sophos") returned -1 [0108.249] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4058 [0108.249] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.249] PathFindExtensionW (pszPath="LYyB4xoNLNU.mkv") returned=".mkv" [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0108.249] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0108.250] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0108.250] lstrcmpiW (lpString1="LYyB4xoNLNU.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ef10 [0108.250] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\LYyB4xoNLNU.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\lyyb4xonlnu.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0108.250] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x25bde78 | out: lpFileSize=0x25bde78*=16073) returned 1 [0108.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e908 [0108.250] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.250] SystemFunction036 (in: RandomBuffer=0x268e908, RandomBufferLength=0x10 | out: RandomBuffer=0x268e908) returned 1 [0108.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0108.250] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0108.250] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25bde38*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25bde38*=0x100) returned 1 [0108.252] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25bde34*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25bde34*=0x100) returned 1 [0108.253] GetTickCount () returned 0x115c2fe [0108.253] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0108.253] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0108.253] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x3ec9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.253] SetLastError (dwErrCode=0x0) [0108.253] WriteFile (in: hFile=0x27c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.255] GetLastError () returned 0x0 [0108.255] GetLastError () returned 0x0 [0108.255] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x3fc9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.255] WriteFile (in: hFile=0x27c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.255] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x40c9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.255] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bde4c | out: lpSystemTimeAsFileTime=0x25bde4c*(dwLowDateTime=0x3b85116e, dwHighDateTime=0x1d5f971)) [0108.255] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.255] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.255] WriteFile (in: hFile=0x27c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bde90*=0x7, lpOverlapped=0x0) returned 1 [0108.255] GetProcessHeap () returned 0xbc0000 [0108.255] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3ec9) returned 0xbf5650 [0108.255] GetSystemDefaultLangID () returned 0xbd0409 [0108.255] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.255] ReadFile (in: hFile=0x27c, lpBuffer=0xbf5650, nNumberOfBytesToRead=0x3ec9, lpNumberOfBytesRead=0x25bde9c, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesRead=0x25bde9c*=0x3ec9, lpOverlapped=0x0) returned 1 [0108.256] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.256] WriteFile (in: hFile=0x27c, lpBuffer=0xbf5650*, nNumberOfBytesToWrite=0x3ec9, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesWritten=0x25bde90*=0x3ec9, lpOverlapped=0x0) returned 1 [0108.256] GetProcessHeap () returned 0xbc0000 [0108.256] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf5650 | out: hHeap=0xbc0000) returned 1 [0108.256] CloseHandle (hObject=0x27c) returned 1 [0108.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0108.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0108.256] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e908 | out: hHeap=0x2680000) returned 1 [0108.257] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x29d4120 [0108.257] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\LYyB4xoNLNU.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\lyyb4xonlnu.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\LYyB4xoNLNU.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\lyyb4xonlnu.mkv.nefilim")) returned 1 [0108.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4120 | out: hHeap=0x2680000) returned 1 [0108.257] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.257] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7933bb30, ftCreationTime.dwHighDateTime=0x1d5ed8e, ftLastAccessTime.dwLowDateTime=0x9067c590, ftLastAccessTime.dwHighDateTime=0x1d5ea54, ftLastWriteTime.dwLowDateTime=0x9067c590, ftLastWriteTime.dwHighDateTime=0x1d5ea54, nFileSizeHigh=0x0, nFileSizeLow=0x6d9, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="x_uWG.flv", cAlternateFileName="")) returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2=".") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="..") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="...") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="windows") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="$RECYCLE.BIN") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="rsa") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="NTDETECT.COM") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="ntldr") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="MSDOS.SYS") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="IO.SYS") returned 1 [0108.257] lstrcmpiW (lpString1="x_uWG.flv", lpString2="boot.ini") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="AUTOEXEC.BAT") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="ntuser.dat") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="desktop.ini") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="CONFIG.SYS") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="RECYCLER") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="BOOTSECT.BAK") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="bootmgr") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="programdata") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="appdata") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="program files") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="program files (x86)") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="microsoft") returned 1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="sophos") returned 1 [0108.258] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ef10 [0108.258] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.258] PathFindExtensionW (pszPath="x_uWG.flv") returned=".flv" [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0108.258] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0108.258] lstrcmpiW (lpString1="x_uWG.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.258] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x29d4058 [0108.258] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\x_uWG.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\x_uwg.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0108.259] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x25bde78 | out: lpFileSize=0x25bde78*=1753) returned 1 [0108.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ea28 [0108.259] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.259] SystemFunction036 (in: RandomBuffer=0x268ea28, RandomBufferLength=0x10 | out: RandomBuffer=0x268ea28) returned 1 [0108.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0108.259] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0108.259] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25bde38*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25bde38*=0x100) returned 1 [0108.259] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25bde34*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25bde34*=0x100) returned 1 [0108.260] GetTickCount () returned 0x115c30e [0108.260] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e688 [0108.260] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e688 | out: hHeap=0x2680000) returned 1 [0108.261] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x6d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.261] SetLastError (dwErrCode=0x0) [0108.261] WriteFile (in: hFile=0x27c, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.261] GetLastError () returned 0x0 [0108.261] GetLastError () returned 0x0 [0108.261] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x7d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.261] WriteFile (in: hFile=0x27c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.262] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x8d9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.262] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bde4c | out: lpSystemTimeAsFileTime=0x25bde4c*(dwLowDateTime=0x3b85116e, dwHighDateTime=0x1d5f971)) [0108.262] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.262] WriteFile (in: hFile=0x27c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bde90*=0x7, lpOverlapped=0x0) returned 1 [0108.262] GetProcessHeap () returned 0xbc0000 [0108.262] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x6d9) returned 0xbe3f48 [0108.262] GetSystemDefaultLangID () returned 0xbd0409 [0108.262] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.262] ReadFile (in: hFile=0x27c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x6d9, lpNumberOfBytesRead=0x25bde9c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25bde9c*=0x6d9, lpOverlapped=0x0) returned 1 [0108.262] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.262] WriteFile (in: hFile=0x27c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x6d9, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25bde90*=0x6d9, lpOverlapped=0x0) returned 1 [0108.262] GetProcessHeap () returned 0xbc0000 [0108.262] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0108.262] CloseHandle (hObject=0x27c) returned 1 [0108.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0108.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0108.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.262] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea28 | out: hHeap=0x2680000) returned 1 [0108.262] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4110 [0108.262] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\x_uWG.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\x_uwg.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\x_uWG.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\x_uwg.flv.nefilim")) returned 1 [0108.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4110 | out: hHeap=0x2680000) returned 1 [0108.263] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.263] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea5e990, ftCreationTime.dwHighDateTime=0x1d5ea5b, ftLastAccessTime.dwLowDateTime=0x819fec60, ftLastAccessTime.dwHighDateTime=0x1d5e417, ftLastWriteTime.dwLowDateTime=0x819fec60, ftLastWriteTime.dwHighDateTime=0x1d5e417, nFileSizeHigh=0x0, nFileSizeLow=0x152d3, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="YsTsCrS9eeVksH.swf", cAlternateFileName="YSTSCR~1.SWF")) returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2=".") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="..") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="...") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="windows") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="rsa") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="NTDETECT.COM") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="ntldr") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="MSDOS.SYS") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="IO.SYS") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="boot.ini") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="ntuser.dat") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="desktop.ini") returned 1 [0108.263] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="CONFIG.SYS") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="RECYCLER") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="BOOTSECT.BAK") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="bootmgr") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="programdata") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="appdata") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="program files") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="program files (x86)") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="microsoft") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="sophos") returned 1 [0108.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4058 [0108.264] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.264] PathFindExtensionW (pszPath="YsTsCrS9eeVksH.swf") returned=".swf" [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.264] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.264] lstrcmpiW (lpString1="YsTsCrS9eeVksH.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.264] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x268ef10 [0108.264] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\YsTsCrS9eeVksH.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\ystscrs9eevksh.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27c [0108.264] GetFileSizeEx (in: hFile=0x27c, lpFileSize=0x25bde78 | out: lpFileSize=0x25bde78*=86739) returned 1 [0108.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e9c8 [0108.265] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.265] SystemFunction036 (in: RandomBuffer=0x268e9c8, RandomBufferLength=0x10 | out: RandomBuffer=0x268e9c8) returned 1 [0108.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0108.265] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0108.265] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25bde38*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25bde38*=0x100) returned 1 [0108.266] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25bde34*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25bde34*=0x100) returned 1 [0108.266] GetTickCount () returned 0x115c30e [0108.266] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0108.266] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0108.267] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x152d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.267] SetLastError (dwErrCode=0x0) [0108.267] WriteFile (in: hFile=0x27c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.267] GetLastError () returned 0x0 [0108.267] GetLastError () returned 0x0 [0108.267] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x153d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.267] WriteFile (in: hFile=0x27c, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25bde90*=0x100, lpOverlapped=0x0) returned 1 [0108.268] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x154d3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.268] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bde4c | out: lpSystemTimeAsFileTime=0x25bde4c*(dwLowDateTime=0x3b85116e, dwHighDateTime=0x1d5f971)) [0108.268] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.268] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.268] WriteFile (in: hFile=0x27c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bde90*=0x7, lpOverlapped=0x0) returned 1 [0108.268] GetProcessHeap () returned 0xbc0000 [0108.268] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x152d3) returned 0xbf5650 [0108.268] GetSystemDefaultLangID () returned 0xbd0409 [0108.268] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.268] ReadFile (in: hFile=0x27c, lpBuffer=0xbf5650, nNumberOfBytesToRead=0x152d3, lpNumberOfBytesRead=0x25bde9c, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesRead=0x25bde9c*=0x152d3, lpOverlapped=0x0) returned 1 [0108.273] SetFilePointerEx (in: hFile=0x27c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.273] WriteFile (in: hFile=0x27c, lpBuffer=0xbf5650*, nNumberOfBytesToWrite=0x152d3, lpNumberOfBytesWritten=0x25bde90, lpOverlapped=0x0 | out: lpBuffer=0xbf5650*, lpNumberOfBytesWritten=0x25bde90*=0x152d3, lpOverlapped=0x0) returned 1 [0108.273] GetProcessHeap () returned 0xbc0000 [0108.273] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf5650 | out: hHeap=0xbc0000) returned 1 [0108.273] CloseHandle (hObject=0x27c) returned 1 [0108.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0108.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0108.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.273] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e9c8 | out: hHeap=0x2680000) returned 1 [0108.273] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xd0) returned 0x29d4120 [0108.274] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\YsTsCrS9eeVksH.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\ystscrs9eevksh.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\L7s_QHRJJNNxL\\YsTsCrS9eeVksH.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\l7s_qhrjjnnxl\\ystscrs9eevksh.swf.nefilim")) returned 1 [0108.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4120 | out: hHeap=0x2680000) returned 1 [0108.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef10 | out: hHeap=0x2680000) returned 1 [0108.274] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bdf88 | out: lpFindFileData=0x25bdf88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xaea5e990, ftCreationTime.dwHighDateTime=0x1d5ea5b, ftLastAccessTime.dwLowDateTime=0x819fec60, ftLastAccessTime.dwHighDateTime=0x1d5e417, ftLastWriteTime.dwLowDateTime=0x819fec60, ftLastWriteTime.dwHighDateTime=0x1d5e417, nFileSizeHigh=0x0, nFileSizeLow=0x152d3, dwReserved0=0x268edd0, dwReserved1=0x0, cFileName="YsTsCrS9eeVksH.swf", cAlternateFileName="YSTSCR~1.SWF")) returned 0 [0108.274] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0108.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee68 | out: hHeap=0x2680000) returned 1 [0108.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edc0 | out: hHeap=0x2680000) returned 1 [0108.275] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58752b70, ftCreationTime.dwHighDateTime=0x1d5ee17, ftLastAccessTime.dwLowDateTime=0x6a5b8cc0, ftLastAccessTime.dwHighDateTime=0x1d5e6ed, ftLastWriteTime.dwLowDateTime=0x6a5b8cc0, ftLastWriteTime.dwHighDateTime=0x1d5e6ed, nFileSizeHigh=0x0, nFileSizeLow=0x99e7, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="oo-sv2qnUP6QtUjSRcWT.swf", cAlternateFileName="OO-SV2~1.SWF")) returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2=".") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="..") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="...") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="windows") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="rsa") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="NTDETECT.COM") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="ntldr") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="MSDOS.SYS") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="IO.SYS") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="boot.ini") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="ntuser.dat") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="desktop.ini") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="CONFIG.SYS") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="RECYCLER") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="BOOTSECT.BAK") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="bootmgr") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="programdata") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="appdata") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="program files") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="program files (x86)") returned -1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="microsoft") returned 1 [0108.276] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="sophos") returned -1 [0108.276] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268edc0 [0108.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed18 | out: hHeap=0x2680000) returned 1 [0108.276] PathFindExtensionW (pszPath="oo-sv2qnUP6QtUjSRcWT.swf") returned=".swf" [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.276] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.277] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.277] lstrcmpiW (lpString1="oo-sv2qnUP6QtUjSRcWT.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xb0) returned 0x268ee78 [0108.277] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\oo-sv2qnUP6QtUjSRcWT.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\oo-sv2qnup6qtujsrcwt.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x278 [0108.277] GetFileSizeEx (in: hFile=0x278, lpFileSize=0x25be198 | out: lpFileSize=0x25be198*=39399) returned 1 [0108.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb90 [0108.277] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.277] SystemFunction036 (in: RandomBuffer=0x268eb90, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb90) returned 1 [0108.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0108.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0108.277] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be158*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be158*=0x100) returned 1 [0108.280] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25be154*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25be154*=0x100) returned 1 [0108.281] GetTickCount () returned 0x115c31d [0108.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0108.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0108.281] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x99e7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.281] SetLastError (dwErrCode=0x0) [0108.281] WriteFile (in: hFile=0x278, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.282] GetLastError () returned 0x0 [0108.282] GetLastError () returned 0x0 [0108.282] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9ae7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.282] WriteFile (in: hFile=0x278, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25be1b0*=0x100, lpOverlapped=0x0) returned 1 [0108.282] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x9be7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.282] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be16c | out: lpSystemTimeAsFileTime=0x25be16c*(dwLowDateTime=0x3b877438, dwHighDateTime=0x1d5f971)) [0108.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0108.282] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0108.283] WriteFile (in: hFile=0x278, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be1b0*=0x7, lpOverlapped=0x0) returned 1 [0108.283] GetProcessHeap () returned 0xbc0000 [0108.283] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x99e7) returned 0xbf4648 [0108.283] GetSystemDefaultLangID () returned 0xbd0409 [0108.283] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.283] ReadFile (in: hFile=0x278, lpBuffer=0xbf4648, nNumberOfBytesToRead=0x99e7, lpNumberOfBytesRead=0x25be1bc, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesRead=0x25be1bc*=0x99e7, lpOverlapped=0x0) returned 1 [0108.285] SetFilePointerEx (in: hFile=0x278, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.285] WriteFile (in: hFile=0x278, lpBuffer=0xbf4648*, nNumberOfBytesToWrite=0x99e7, lpNumberOfBytesWritten=0x25be1b0, lpOverlapped=0x0 | out: lpBuffer=0xbf4648*, lpNumberOfBytesWritten=0x25be1b0*=0x99e7, lpOverlapped=0x0) returned 1 [0108.333] GetProcessHeap () returned 0xbc0000 [0108.333] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf4648 | out: hHeap=0xbc0000) returned 1 [0108.333] CloseHandle (hObject=0x278) returned 1 [0108.333] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0108.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0108.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb90 | out: hHeap=0x2680000) returned 1 [0108.334] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xc0) returned 0x29d4058 [0108.334] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\oo-sv2qnUP6QtUjSRcWT.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\oo-sv2qnup6qtujsrcwt.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\GGJLC9dTQjwRA\\OsuaxPuP PzOnAZWV\\oo-sv2qnUP6QtUjSRcWT.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ggjlc9dtqjwra\\osuaxpup pzonazwv\\oo-sv2qnup6qtujsrcwt.swf.nefilim")) returned 1 [0108.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4058 | out: hHeap=0x2680000) returned 1 [0108.334] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee78 | out: hHeap=0x2680000) returned 1 [0108.334] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25be2a8 | out: lpFindFileData=0x25be2a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x58752b70, ftCreationTime.dwHighDateTime=0x1d5ee17, ftLastAccessTime.dwLowDateTime=0x6a5b8cc0, ftLastAccessTime.dwHighDateTime=0x1d5e6ed, ftLastWriteTime.dwLowDateTime=0x6a5b8cc0, ftLastWriteTime.dwHighDateTime=0x1d5e6ed, nFileSizeHigh=0x0, nFileSizeLow=0x99e7, dwReserved0=0x268be08, dwReserved1=0x4000000, cFileName="oo-sv2qnUP6QtUjSRcWT.swf", cAlternateFileName="OO-SV2~1.SWF")) returned 0 [0108.334] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edc0 | out: hHeap=0x2680000) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0108.335] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd579c6d0, ftCreationTime.dwHighDateTime=0x1d5f0f1, ftLastAccessTime.dwLowDateTime=0xfff21a00, ftLastAccessTime.dwHighDateTime=0x1d5edce, ftLastWriteTime.dwLowDateTime=0xfff21a00, ftLastWriteTime.dwHighDateTime=0x1d5edce, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OsuaxPuP PzOnAZWV", cAlternateFileName="OSUAXP~1")) returned 0 [0108.335] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.335] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb03ffc30, ftCreationTime.dwHighDateTime=0x1d5efda, ftLastAccessTime.dwLowDateTime=0xd13f7790, ftLastAccessTime.dwHighDateTime=0x1d5f038, ftLastWriteTime.dwLowDateTime=0xd13f7790, ftLastWriteTime.dwHighDateTime=0x1d5f038, nFileSizeHigh=0x0, nFileSizeLow=0x4b28, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="ID5yRDd3zI4smUMb_3.swf", cAlternateFileName="ID5YRD~1.SWF")) returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2=".") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="..") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="...") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="windows") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="rsa") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="NTDETECT.COM") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="ntldr") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="MSDOS.SYS") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="IO.SYS") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="boot.ini") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="ntuser.dat") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="desktop.ini") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="CONFIG.SYS") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="RECYCLER") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="BOOTSECT.BAK") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="bootmgr") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="programdata") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="appdata") returned 1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="program files") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="program files (x86)") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="microsoft") returned -1 [0108.335] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="sophos") returned -1 [0108.335] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0108.335] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0108.336] PathFindExtensionW (pszPath="ID5yRDd3zI4smUMb_3.swf") returned=".swf" [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.336] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.336] lstrcmpiW (lpString1="ID5yRDd3zI4smUMb_3.swf", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0108.336] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ID5yRDd3zI4smUMb_3.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\id5yrdd3zi4smumb_3.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0108.336] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=19240) returned 1 [0108.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e980 [0108.336] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.336] SystemFunction036 (in: RandomBuffer=0x268e980, RandomBufferLength=0x10 | out: RandomBuffer=0x268e980) returned 1 [0108.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0108.336] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0108.336] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be798*=0x100) returned 1 [0108.337] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25be794*=0x100) returned 1 [0108.338] GetTickCount () returned 0x115c35c [0108.338] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0108.338] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0108.338] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4b28, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.338] SetLastError (dwErrCode=0x0) [0108.338] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.339] GetLastError () returned 0x0 [0108.339] GetLastError () returned 0x0 [0108.339] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4c28, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.339] WriteFile (in: hFile=0x270, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.339] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x4d28, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.339] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b90fdc3, dwHighDateTime=0x1d5f971)) [0108.339] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.339] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.340] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0108.340] GetProcessHeap () returned 0xbc0000 [0108.340] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4b28) returned 0xbf2638 [0108.341] GetSystemDefaultLangID () returned 0xbd0409 [0108.341] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.341] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x4b28, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x4b28, lpOverlapped=0x0) returned 1 [0108.342] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.342] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x4b28, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x4b28, lpOverlapped=0x0) returned 1 [0108.342] GetProcessHeap () returned 0xbc0000 [0108.342] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0108.342] CloseHandle (hObject=0x270) returned 1 [0108.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0108.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0108.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.342] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e980 | out: hHeap=0x2680000) returned 1 [0108.342] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0108.342] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ID5yRDd3zI4smUMb_3.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\id5yrdd3zi4smumb_3.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ID5yRDd3zI4smUMb_3.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\id5yrdd3zi4smumb_3.swf.nefilim")) returned 1 [0108.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.343] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0108.343] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x42a76f10, ftCreationTime.dwHighDateTime=0x1d5e430, ftLastAccessTime.dwLowDateTime=0x1efa4a80, ftLastAccessTime.dwHighDateTime=0x1d5ebc2, ftLastWriteTime.dwLowDateTime=0x1efa4a80, ftLastWriteTime.dwHighDateTime=0x1d5ebc2, nFileSizeHigh=0x0, nFileSizeLow=0x1281, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="n0W9acYLrATpHQkkVql.mkv", cAlternateFileName="N0W9AC~1.MKV")) returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2=".") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="..") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="...") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="windows") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="$RECYCLE.BIN") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="rsa") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="NTDETECT.COM") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="ntldr") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="MSDOS.SYS") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="IO.SYS") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="boot.ini") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="ntuser.dat") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="desktop.ini") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="CONFIG.SYS") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="RECYCLER") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="BOOTSECT.BAK") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="bootmgr") returned 1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="programdata") returned -1 [0108.343] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="appdata") returned 1 [0108.344] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="program files") returned -1 [0108.344] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="program files (x86)") returned -1 [0108.344] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="microsoft") returned 1 [0108.344] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="sophos") returned -1 [0108.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e360 [0108.344] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.344] PathFindExtensionW (pszPath="n0W9acYLrATpHQkkVql.mkv") returned=".mkv" [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0108.344] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0108.344] lstrcmpiW (lpString1="n0W9acYLrATpHQkkVql.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e2e8 [0108.344] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\n0W9acYLrATpHQkkVql.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\n0w9acylratphqkkvql.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0108.344] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=4737) returned 1 [0108.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.344] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268ebc0 [0108.344] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.344] SystemFunction036 (in: RandomBuffer=0x268ebc0, RandomBufferLength=0x10 | out: RandomBuffer=0x268ebc0) returned 1 [0108.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0108.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0108.345] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be798*=0x100) returned 1 [0108.345] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x100) returned 1 [0108.345] GetTickCount () returned 0x115c35c [0108.345] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0108.345] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0108.345] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1281, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.345] SetLastError (dwErrCode=0x0) [0108.345] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.346] GetLastError () returned 0x0 [0108.346] GetLastError () returned 0x0 [0108.346] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1381, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.346] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.346] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1481, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.346] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b90fdc3, dwHighDateTime=0x1d5f971)) [0108.346] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.346] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.346] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0108.346] GetProcessHeap () returned 0xbc0000 [0108.346] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1281) returned 0xbf2638 [0108.346] GetSystemDefaultLangID () returned 0xbd0409 [0108.346] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.346] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1281, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1281, lpOverlapped=0x0) returned 1 [0108.347] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.347] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1281, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1281, lpOverlapped=0x0) returned 1 [0108.347] GetProcessHeap () returned 0xbc0000 [0108.347] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0108.347] CloseHandle (hObject=0x270) returned 1 [0108.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0108.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0108.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.347] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ebc0 | out: hHeap=0x2680000) returned 1 [0108.347] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x26804b8 [0108.347] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\n0W9acYLrATpHQkkVql.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\n0w9acylratphqkkvql.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\n0W9acYLrATpHQkkVql.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\n0w9acylratphqkkvql.mkv.nefilim")) returned 1 [0108.348] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.348] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.348] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32957fe0, ftCreationTime.dwHighDateTime=0x1d5ed2c, ftLastAccessTime.dwLowDateTime=0x84955d00, ftLastAccessTime.dwHighDateTime=0x1d5f0ac, ftLastWriteTime.dwLowDateTime=0x84955d00, ftLastWriteTime.dwHighDateTime=0x1d5f0ac, nFileSizeHigh=0x0, nFileSizeLow=0x3a82, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="OCIozA4o.flv", cAlternateFileName="")) returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2=".") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="..") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="...") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="windows") returned -1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="$RECYCLE.BIN") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="rsa") returned -1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="NTDETECT.COM") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="ntldr") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="MSDOS.SYS") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="IO.SYS") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="boot.ini") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="AUTOEXEC.BAT") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="ntuser.dat") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="desktop.ini") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="CONFIG.SYS") returned 1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="RECYCLER") returned -1 [0108.348] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="BOOTSECT.BAK") returned 1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="bootmgr") returned 1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="programdata") returned -1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="appdata") returned 1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="program files") returned -1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="program files (x86)") returned -1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="microsoft") returned 1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="sophos") returned -1 [0108.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0108.349] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e360 | out: hHeap=0x2680000) returned 1 [0108.349] PathFindExtensionW (pszPath="OCIozA4o.flv") returned=".flv" [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".exe") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".log") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".cab") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".cmd") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".com") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".cpl") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".ini") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".dll") returned 1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".url") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".ttf") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".mp3") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".pif") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".mp4") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".NEFILIM") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".msi") returned -1 [0108.349] lstrcmpiW (lpString1=".flv", lpString2=".lnk") returned -1 [0108.349] lstrcmpiW (lpString1="OCIozA4o.flv", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e350 [0108.349] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\OCIozA4o.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ocioza4o.flv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0108.349] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=14978) returned 1 [0108.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.349] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e968 [0108.350] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.350] SystemFunction036 (in: RandomBuffer=0x268e968, RandomBufferLength=0x10 | out: RandomBuffer=0x268e968) returned 1 [0108.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0108.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0108.350] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x100) returned 1 [0108.350] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be794*=0x100) returned 1 [0108.350] GetTickCount () returned 0x115c36c [0108.350] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0108.350] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0108.350] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3a82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.350] SetLastError (dwErrCode=0x0) [0108.350] WriteFile (in: hFile=0x270, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.351] GetLastError () returned 0x0 [0108.351] GetLastError () returned 0x0 [0108.351] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3b82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.351] WriteFile (in: hFile=0x270, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.351] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3c82, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.351] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b935ff7, dwHighDateTime=0x1d5f971)) [0108.351] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.351] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.351] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0108.351] GetProcessHeap () returned 0xbc0000 [0108.351] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3a82) returned 0xbf2638 [0108.351] GetSystemDefaultLangID () returned 0xbd0409 [0108.351] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.352] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3a82, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3a82, lpOverlapped=0x0) returned 1 [0108.352] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.352] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3a82, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3a82, lpOverlapped=0x0) returned 1 [0108.352] GetProcessHeap () returned 0xbc0000 [0108.352] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0108.353] CloseHandle (hObject=0x270) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e968 | out: hHeap=0x2680000) returned 1 [0108.353] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0108.353] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\OCIozA4o.flv" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ocioza4o.flv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\OCIozA4o.flv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\ocioza4o.flv.nefilim")) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.353] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0108.353] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863985d0, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xc0a8db0, ftLastAccessTime.dwHighDateTime=0x1d5e481, ftLastWriteTime.dwLowDateTime=0xc0a8db0, ftLastWriteTime.dwHighDateTime=0x1d5e481, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="ZUV3Slxe5VHSVI TG-Qx.swf", cAlternateFileName="ZUV3SL~1.SWF")) returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2=".") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="..") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="...") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="windows") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="$RECYCLE.BIN") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="rsa") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="NTDETECT.COM") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="ntldr") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="MSDOS.SYS") returned 1 [0108.353] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="IO.SYS") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="boot.ini") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="AUTOEXEC.BAT") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="ntuser.dat") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="desktop.ini") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="CONFIG.SYS") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="RECYCLER") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="BOOTSECT.BAK") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="bootmgr") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="programdata") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="appdata") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="program files") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="program files (x86)") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="microsoft") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="sophos") returned 1 [0108.354] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0108.354] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.354] PathFindExtensionW (pszPath="ZUV3Slxe5VHSVI TG-Qx.swf") returned=".swf" [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".exe") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".log") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".cab") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".cmd") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".com") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".cpl") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".ini") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".dll") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".url") returned -1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".ttf") returned -1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".mp3") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".pif") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".mp4") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".NEFILIM") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".msi") returned 1 [0108.354] lstrcmpiW (lpString1=".swf", lpString2=".lnk") returned 1 [0108.354] lstrcmpiW (lpString1="ZUV3Slxe5VHSVI TG-Qx.swf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.354] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x26804b8 [0108.355] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ZUV3Slxe5VHSVI TG-Qx.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\zuv3slxe5vhsvi tg-qx.swf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0108.355] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=11007) returned 1 [0108.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eb30 [0108.355] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.355] SystemFunction036 (in: RandomBuffer=0x268eb30, RandomBufferLength=0x10 | out: RandomBuffer=0x268eb30) returned 1 [0108.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0108.355] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0108.355] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x100) returned 1 [0108.355] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x100) returned 1 [0108.356] GetTickCount () returned 0x115c36c [0108.356] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0108.357] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0108.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2aff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.357] SetLastError (dwErrCode=0x0) [0108.357] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.357] GetLastError () returned 0x0 [0108.357] GetLastError () returned 0x0 [0108.357] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2bff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.357] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0108.358] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x2cff, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.358] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3b935ff7, dwHighDateTime=0x1d5f971)) [0108.358] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e2e8 [0108.358] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.358] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0108.358] GetProcessHeap () returned 0xbc0000 [0108.358] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2aff) returned 0xbf2638 [0108.359] GetSystemDefaultLangID () returned 0xbd0409 [0108.359] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.359] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x2aff, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x2aff, lpOverlapped=0x0) returned 1 [0108.360] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.360] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x2aff, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x2aff, lpOverlapped=0x0) returned 1 [0108.360] GetProcessHeap () returned 0xbc0000 [0108.360] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0108.360] CloseHandle (hObject=0x270) returned 1 [0108.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0108.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0108.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.360] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eb30 | out: hHeap=0x2680000) returned 1 [0108.360] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268bd90 [0108.360] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ZUV3Slxe5VHSVI TG-Qx.swf" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\zuv3slxe5vhsvi tg-qx.swf"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\g4sCv\\ZUV3Slxe5VHSVI TG-Qx.swf.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\g4scv\\zuv3slxe5vhsvi tg-qx.swf.nefilim")) returned 1 [0108.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.361] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x863985d0, ftCreationTime.dwHighDateTime=0x1d5eb77, ftLastAccessTime.dwLowDateTime=0xc0a8db0, ftLastAccessTime.dwHighDateTime=0x1d5e481, ftLastWriteTime.dwLowDateTime=0xc0a8db0, ftLastWriteTime.dwHighDateTime=0x1d5e481, nFileSizeHigh=0x0, nFileSizeLow=0x2aff, dwReserved0=0x0, dwReserved1=0x22000022, cFileName="ZUV3Slxe5VHSVI TG-Qx.swf", cAlternateFileName="ZUV3SL~1.SWF")) returned 0 [0108.361] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0108.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0108.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.361] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.361] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9666c960, ftCreationTime.dwHighDateTime=0x1d5e274, ftLastAccessTime.dwLowDateTime=0x7d276900, ftLastAccessTime.dwHighDateTime=0x1d5ecdd, ftLastWriteTime.dwLowDateTime=0x7d276900, ftLastWriteTime.dwHighDateTime=0x1d5ecdd, nFileSizeHigh=0x0, nFileSizeLow=0x151ec, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="kgo KMtj7sy7.mkv", cAlternateFileName="KGOKMT~1.MKV")) returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2=".") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="..") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="...") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="windows") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="$RECYCLE.BIN") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="rsa") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="NTDETECT.COM") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="ntldr") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="MSDOS.SYS") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="IO.SYS") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="boot.ini") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="AUTOEXEC.BAT") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="ntuser.dat") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="desktop.ini") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="CONFIG.SYS") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="RECYCLER") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="BOOTSECT.BAK") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="bootmgr") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="programdata") returned -1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="appdata") returned 1 [0108.361] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="program files") returned -1 [0108.362] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="program files (x86)") returned -1 [0108.362] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="microsoft") returned -1 [0108.362] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="sophos") returned -1 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0108.362] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.362] PathFindExtensionW (pszPath="kgo KMtj7sy7.mkv") returned=".mkv" [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".exe") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".log") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".cab") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".cmd") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".com") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".cpl") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".ini") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".dll") returned 1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".url") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".ttf") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".mp3") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".pif") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".mp4") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".NEFILIM") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".msi") returned -1 [0108.362] lstrcmpiW (lpString1=".mkv", lpString2=".lnk") returned 1 [0108.362] lstrcmpiW (lpString1="kgo KMtj7sy7.mkv", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.362] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\Videos\\kgo KMtj7sy7.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\kgo kmtj7sy7.mkv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.362] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=86508) returned 1 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268eae8 [0108.362] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.362] SystemFunction036 (in: RandomBuffer=0x268eae8, RandomBufferLength=0x10 | out: RandomBuffer=0x268eae8) returned 1 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0108.362] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0108.363] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.363] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.364] GetTickCount () returned 0x115c37b [0108.364] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e730 [0108.364] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e730 | out: hHeap=0x2680000) returned 1 [0108.364] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x151ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.364] SetLastError (dwErrCode=0x0) [0108.364] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.365] GetLastError () returned 0x0 [0108.365] GetLastError () returned 0x0 [0108.365] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x152ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.365] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.365] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x153ec, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.365] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3b95c1fb, dwHighDateTime=0x1d5f971)) [0108.365] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.365] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.365] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.366] GetProcessHeap () returned 0xbc0000 [0108.366] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x151ec) returned 0xbf1630 [0108.367] GetSystemDefaultLangID () returned 0xbd0409 [0108.367] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.367] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x151ec, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x151ec, lpOverlapped=0x0) returned 1 [0108.372] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.372] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x151ec, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x151ec, lpOverlapped=0x0) returned 1 [0108.372] GetProcessHeap () returned 0xbc0000 [0108.372] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0108.372] CloseHandle (hObject=0x26c) returned 1 [0108.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0108.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0108.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.372] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eae8 | out: hHeap=0x2680000) returned 1 [0108.372] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680510 [0108.372] MoveFileW (lpExistingFileName="C:\\Users\\FD1HVy\\Videos\\kgo KMtj7sy7.mkv" (normalized: "c:\\users\\fd1hvy\\videos\\kgo kmtj7sy7.mkv"), lpNewFileName="C:\\Users\\FD1HVy\\Videos\\kgo KMtj7sy7.mkv.NEFILIM" (normalized: "c:\\users\\fd1hvy\\videos\\kgo kmtj7sy7.mkv.nefilim")) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.373] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9666c960, ftCreationTime.dwHighDateTime=0x1d5e274, ftLastAccessTime.dwLowDateTime=0x7d276900, ftLastAccessTime.dwHighDateTime=0x1d5ecdd, ftLastWriteTime.dwLowDateTime=0x7d276900, ftLastWriteTime.dwHighDateTime=0x1d5ecdd, nFileSizeHigh=0x0, nFileSizeLow=0x151ec, dwReserved0=0x268e2e8, dwReserved1=0x2bb319d3, cFileName="kgo KMtj7sy7.mkv", cAlternateFileName="KGOKMT~1.MKV")) returned 0 [0108.373] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0108.373] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0xe58736d0, ftLastAccessTime.dwHighDateTime=0x1d5f12a, ftLastWriteTime.dwLowDateTime=0xe58736d0, ftLastWriteTime.dwHighDateTime=0x1d5f12a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0108.373] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7a0 | out: hHeap=0x2680000) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0108.373] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e500 | out: hHeap=0x2680000) returned 1 [0108.373] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Public", cAlternateFileName="")) returned 1 [0108.373] lstrcmpiW (lpString1="Public", lpString2=".") returned 1 [0108.373] lstrcmpiW (lpString1="Public", lpString2="..") returned 1 [0108.373] lstrcmpiW (lpString1="Public", lpString2="...") returned 1 [0108.373] lstrcmpiW (lpString1="Public", lpString2="windows") returned -1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="$RECYCLE.BIN") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="rsa") returned -1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="NTDETECT.COM") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="ntldr") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="MSDOS.SYS") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="IO.SYS") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="boot.ini") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="AUTOEXEC.BAT") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="ntuser.dat") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="desktop.ini") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="CONFIG.SYS") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="RECYCLER") returned -1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="BOOTSECT.BAK") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="bootmgr") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="programdata") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="appdata") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="program files") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="program files (x86)") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="microsoft") returned 1 [0108.374] lstrcmpiW (lpString1="Public", lpString2="sophos") returned -1 [0108.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x26814b8 [0108.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e420 [0108.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.374] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f8 | out: hHeap=0x2680000) returned 1 [0108.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e618 [0108.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e0 [0108.374] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6f8 [0108.374] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2608 [0108.374] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.374] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.374] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.374] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.375] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="AccountPictures", cAlternateFileName="ACCOUN~1")) returned 1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2=".") returned 1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="..") returned 1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="...") returned 1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="windows") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="$RECYCLE.BIN") returned 1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="rsa") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="NTDETECT.COM") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="ntldr") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="MSDOS.SYS") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="IO.SYS") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="boot.ini") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="AUTOEXEC.BAT") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="ntuser.dat") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="desktop.ini") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="CONFIG.SYS") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="RECYCLER") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="BOOTSECT.BAK") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="bootmgr") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="programdata") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="appdata") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="program files") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="program files (x86)") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="microsoft") returned -1 [0108.375] lstrcmpiW (lpString1="AccountPictures", lpString2="sophos") returned -1 [0108.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x5e) returned 0x2681278 [0108.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.375] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f8 | out: hHeap=0x2680000) returned 1 [0108.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0108.375] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0108.375] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\AccountPictures\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0108.419] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.419] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x3079b77, ftCreationTime.dwHighDateTime=0x1d1a050, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.419] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.419] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.419] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.419] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.419] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xce317778, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xce317778, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xce317778, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0xc4, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.419] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0108.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0108.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.420] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2=".") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="..") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="...") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="windows") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="$RECYCLE.BIN") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="rsa") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="NTDETECT.COM") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="ntldr") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="MSDOS.SYS") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="IO.SYS") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="boot.ini") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="AUTOEXEC.BAT") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="ntuser.dat") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="desktop.ini") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="CONFIG.SYS") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="RECYCLER") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="BOOTSECT.BAK") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="bootmgr") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="programdata") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="appdata") returned 1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="program files") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="program files (x86)") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="microsoft") returned -1 [0108.420] lstrcmpiW (lpString1="Desktop", lpString2="sophos") returned -1 [0108.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0108.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x46) returned 0x268ea58 [0108.420] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0108.420] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.420] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.420] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Desktop\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0108.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.421] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c3ce2c, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.421] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.421] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.421] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x38bb5c78, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0x38bb5c78, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0x38bb5c78, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x852, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Acrobat Reader DC.lnk", cAlternateFileName="ACROBA~1.LNK")) returned 1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2=".") returned 1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="..") returned 1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="...") returned 1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="windows") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="$RECYCLE.BIN") returned 1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="rsa") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="NTDETECT.COM") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ntldr") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="MSDOS.SYS") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="IO.SYS") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="boot.ini") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="AUTOEXEC.BAT") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="ntuser.dat") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="desktop.ini") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="CONFIG.SYS") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="RECYCLER") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="BOOTSECT.BAK") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="bootmgr") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="programdata") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="appdata") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="program files") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="program files (x86)") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="microsoft") returned -1 [0108.421] lstrcmpiW (lpString1="Acrobat Reader DC.lnk", lpString2="sophos") returned -1 [0108.421] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.421] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.421] PathFindExtensionW (pszPath="Acrobat Reader DC.lnk") returned=".lnk" [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0108.422] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0108.422] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.422] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.422] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4c3ce2c, ftCreationTime.dwHighDateTime=0x1d327cb, ftLastAccessTime.dwLowDateTime=0xe4c3ce2c, ftLastAccessTime.dwHighDateTime=0x1d327cb, ftLastWriteTime.dwLowDateTime=0xe4c6308a, ftLastWriteTime.dwHighDateTime=0x1d327cb, nFileSizeHigh=0x0, nFileSizeLow=0x91a, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Google Chrome.lnk", cAlternateFileName="GOOGLE~1.LNK")) returned 1 [0108.422] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2=".") returned 1 [0108.422] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="..") returned 1 [0108.422] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="...") returned 1 [0108.422] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="windows") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="$RECYCLE.BIN") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="rsa") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="NTDETECT.COM") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntldr") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="MSDOS.SYS") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="IO.SYS") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="boot.ini") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="ntuser.dat") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="desktop.ini") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="CONFIG.SYS") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="RECYCLER") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="BOOTSECT.BAK") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="bootmgr") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="programdata") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="appdata") returned 1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="program files (x86)") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="microsoft") returned -1 [0108.423] lstrcmpiW (lpString1="Google Chrome.lnk", lpString2="sophos") returned -1 [0108.423] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680520 [0108.423] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.423] PathFindExtensionW (pszPath="Google Chrome.lnk") returned=".lnk" [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0108.423] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0108.424] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2=".") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="..") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="...") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="windows") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="$RECYCLE.BIN") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="rsa") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="NTDETECT.COM") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntldr") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="MSDOS.SYS") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="IO.SYS") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="boot.ini") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="AUTOEXEC.BAT") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="ntuser.dat") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="desktop.ini") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="CONFIG.SYS") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="RECYCLER") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="BOOTSECT.BAK") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="bootmgr") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="programdata") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="appdata") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="program files (x86)") returned -1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="microsoft") returned 1 [0108.424] lstrcmpiW (lpString1="Mozilla Firefox.lnk", lpString2="sophos") returned -1 [0108.424] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.424] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0108.424] PathFindExtensionW (pszPath="Mozilla Firefox.lnk") returned=".lnk" [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".exe") returned 1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".log") returned -1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".cab") returned 1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".cmd") returned 1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".com") returned 1 [0108.424] lstrcmpiW (lpString1=".lnk", lpString2=".cpl") returned 1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".ini") returned 1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".dll") returned 1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".url") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".ttf") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".mp3") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".pif") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".mp4") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".NEFILIM") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".msi") returned -1 [0108.425] lstrcmpiW (lpString1=".lnk", lpString2=".lnk") returned 0 [0108.425] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xef84fc3f, ftCreationTime.dwHighDateTime=0x1d327c9, ftLastAccessTime.dwLowDateTime=0xef84fc3f, ftLastAccessTime.dwHighDateTime=0x1d327c9, ftLastWriteTime.dwLowDateTime=0xef84fc3f, ftLastWriteTime.dwHighDateTime=0x1d327c9, nFileSizeHigh=0x0, nFileSizeLow=0x3e7, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="Mozilla Firefox.lnk", cAlternateFileName="MOZILL~1.LNK")) returned 0 [0108.425] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0108.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.425] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.425] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa08e58, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.425] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.425] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Documents", cAlternateFileName="DOCUME~1")) returned 1 [0108.425] lstrcmpiW (lpString1="Documents", lpString2=".") returned 1 [0108.425] lstrcmpiW (lpString1="Documents", lpString2="..") returned 1 [0108.425] lstrcmpiW (lpString1="Documents", lpString2="...") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="windows") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="$RECYCLE.BIN") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="rsa") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="NTDETECT.COM") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="ntldr") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="MSDOS.SYS") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="IO.SYS") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="boot.ini") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="AUTOEXEC.BAT") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="ntuser.dat") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="desktop.ini") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="CONFIG.SYS") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="RECYCLER") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="BOOTSECT.BAK") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="bootmgr") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="programdata") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="appdata") returned 1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="program files") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="program files (x86)") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="microsoft") returned -1 [0108.426] lstrcmpiW (lpString1="Documents", lpString2="sophos") returned -1 [0108.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.426] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ea58 | out: hHeap=0x2680000) returned 1 [0108.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.426] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.426] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0108.428] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.428] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb1fb672c, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb1fb672c, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.428] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.428] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fb62ca, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x116, dwReserved0=0x0, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.428] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.428] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="My Music", cAlternateFileName="MYMUSI~1")) returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2=".") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="..") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="...") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="windows") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="$RECYCLE.BIN") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="rsa") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="NTDETECT.COM") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="ntldr") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="MSDOS.SYS") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="IO.SYS") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="boot.ini") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="AUTOEXEC.BAT") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="ntuser.dat") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="desktop.ini") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="CONFIG.SYS") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="RECYCLER") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="BOOTSECT.BAK") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="bootmgr") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="programdata") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="appdata") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="program files") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="program files (x86)") returned -1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="microsoft") returned 1 [0108.429] lstrcmpiW (lpString1="My Music", lpString2="sophos") returned -1 [0108.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680500 [0108.429] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0108.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0108.429] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0108.429] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Music\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff22ca, ftCreationTime.dwHighDateTime=0x29000029, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x22000022, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨԀɨF")) returned 0xffffffff [0108.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0108.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0108.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.430] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="My Pictures", cAlternateFileName="MYPICT~1")) returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2=".") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="..") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="...") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="windows") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="$RECYCLE.BIN") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="rsa") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="NTDETECT.COM") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="ntldr") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="MSDOS.SYS") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="IO.SYS") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="boot.ini") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="ntuser.dat") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="desktop.ini") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="CONFIG.SYS") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="RECYCLER") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="BOOTSECT.BAK") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="bootmgr") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="programdata") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="appdata") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="program files") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="program files (x86)") returned -1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="microsoft") returned 1 [0108.430] lstrcmpiW (lpString1="My Pictures", lpString2="sophos") returned -1 [0108.430] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0108.430] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0108.430] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0108.430] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0108.430] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.430] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Pictures\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff22ca, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x29000029, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨɨL")) returned 0xffffffff [0108.431] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.431] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0108.431] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0108.431] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2=".") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="..") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="...") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="windows") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="$RECYCLE.BIN") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="rsa") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="NTDETECT.COM") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="ntldr") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="MSDOS.SYS") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="IO.SYS") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="boot.ini") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="AUTOEXEC.BAT") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="ntuser.dat") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="desktop.ini") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="CONFIG.SYS") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="RECYCLER") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="BOOTSECT.BAK") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="bootmgr") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="programdata") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="appdata") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="program files") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="program files (x86)") returned -1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="microsoft") returned 1 [0108.431] lstrcmpiW (lpString1="My Videos", lpString2="sophos") returned -1 [0108.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e340 [0108.431] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e2e8 [0108.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e398 [0108.431] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.432] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Documents\\My Videos\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0xf70005f2, ftCreationTime.dwLowDateTime=0xffff22ca, ftCreationTime.dwHighDateTime=0x1e00001e, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0xc00000c, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x1e00001e, nFileSizeHigh=0x2680000, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="ɛ⊺ĊɨɨH")) returned 0xffffffff [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e398 | out: hHeap=0x2680000) returned 1 [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.432] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0xe99f01ae, ftCreationTime.dwHighDateTime=0x1d32708, ftLastAccessTime.dwLowDateTime=0xe99f01ae, ftLastAccessTime.dwHighDateTime=0x1d32708, ftLastWriteTime.dwLowDateTime=0xe99f01ae, ftLastWriteTime.dwHighDateTime=0x1d32708, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="My Videos", cAlternateFileName="MYVIDE~1")) returned 0 [0108.432] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e340 | out: hHeap=0x2680000) returned 1 [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.432] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.433] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Downloads", cAlternateFileName="DOWNLO~1")) returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2=".") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="..") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="...") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="windows") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="$RECYCLE.BIN") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="rsa") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="NTDETECT.COM") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="ntldr") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="MSDOS.SYS") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="IO.SYS") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="boot.ini") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="AUTOEXEC.BAT") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="ntuser.dat") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="desktop.ini") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="CONFIG.SYS") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="RECYCLER") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="BOOTSECT.BAK") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="bootmgr") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="programdata") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="appdata") returned 1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="program files") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="program files (x86)") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="microsoft") returned -1 [0108.433] lstrcmpiW (lpString1="Downloads", lpString2="sophos") returned -1 [0108.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.433] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.433] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.433] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Downloads\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0108.433] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.434] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466cad2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.434] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.434] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.434] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fb62ca, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xae, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.434] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0108.434] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.434] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.434] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.434] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2=".") returned 1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="..") returned 1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="...") returned 1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="windows") returned -1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="$RECYCLE.BIN") returned 1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="rsa") returned -1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="NTDETECT.COM") returned -1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="ntldr") returned -1 [0108.434] lstrcmpiW (lpString1="Libraries", lpString2="MSDOS.SYS") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="IO.SYS") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="boot.ini") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="AUTOEXEC.BAT") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="ntuser.dat") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="desktop.ini") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="CONFIG.SYS") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="RECYCLER") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="BOOTSECT.BAK") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="bootmgr") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="programdata") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="appdata") returned 1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="program files") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="program files (x86)") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="microsoft") returned -1 [0108.435] lstrcmpiW (lpString1="Libraries", lpString2="sophos") returned -1 [0108.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.435] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.435] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.435] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Libraries\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe23c8 [0108.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.435] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x13, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb207547d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb207547d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.435] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.435] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.435] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xaf, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.435] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.435] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.435] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.435] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.436] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.436] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2=".") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="..") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="...") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="windows") returned -1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="$RECYCLE.BIN") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="rsa") returned -1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NTDETECT.COM") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntldr") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="MSDOS.SYS") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="IO.SYS") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="boot.ini") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="AUTOEXEC.BAT") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="ntuser.dat") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="desktop.ini") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="CONFIG.SYS") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="RECYCLER") returned -1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="BOOTSECT.BAK") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="bootmgr") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="programdata") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="appdata") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="program files (x86)") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="microsoft") returned 1 [0108.436] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="sophos") returned -1 [0108.436] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2680500 [0108.437] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.437] PathFindExtensionW (pszPath="RecordedTV.library-ms") returned=".library-ms" [0108.437] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x20) returned 0x2680568 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".exe") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".log") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".cab") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".cmd") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".com") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".cpl") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".ini") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".dll") returned 1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".url") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".ttf") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".mp3") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".pif") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".mp4") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".NEFILIM") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".msi") returned -1 [0108.437] lstrcmpiW (lpString1=".library-ms", lpString2=".lnk") returned -1 [0108.437] lstrcmpiW (lpString1="RecordedTV.library-ms", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.437] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e2e8 [0108.437] CreateFileW (lpFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.437] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=960) returned 1 [0108.437] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.437] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4208 [0108.438] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.438] SystemFunction036 (in: RandomBuffer=0x29d4208, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4208) returned 1 [0108.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0108.438] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0108.438] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.438] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.440] GetTickCount () returned 0x115c3ba [0108.440] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e650 [0108.440] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e650 | out: hHeap=0x2680000) returned 1 [0108.440] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.440] SetLastError (dwErrCode=0x0) [0108.440] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.454] GetLastError () returned 0x0 [0108.454] GetLastError () returned 0x0 [0108.454] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.454] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.454] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5c0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.454] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3ba1ab82, dwHighDateTime=0x1d5f971)) [0108.454] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.454] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.454] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.454] GetProcessHeap () returned 0xbc0000 [0108.454] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3c0) returned 0xbe3f48 [0108.454] GetSystemDefaultLangID () returned 0xbd0409 [0108.454] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.454] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x3c0, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x3c0, lpOverlapped=0x0) returned 1 [0108.454] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.454] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x3c0, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x3c0, lpOverlapped=0x0) returned 1 [0108.455] GetProcessHeap () returned 0xbc0000 [0108.455] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0108.455] CloseHandle (hObject=0x26c) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4208 | out: hHeap=0x2680000) returned 1 [0108.455] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e350 [0108.455] MoveFileW (lpExistingFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms"), lpNewFileName="C:\\Users\\Public\\Libraries\\RecordedTV.library-ms.NEFILIM" (normalized: "c:\\users\\public\\libraries\\recordedtv.library-ms.nefilim")) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e350 | out: hHeap=0x2680000) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e2e8 | out: hHeap=0x2680000) returned 1 [0108.455] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680568 | out: hHeap=0x2680000) returned 1 [0108.455] FindNextFileW (in: hFindFile=0xbe23c8, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3816851, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97421a72, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97421a72, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x3c0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="RecordedTV.library-ms", cAlternateFileName="RECORD~1.LIB")) returned 0 [0108.456] FindClose (in: hFindFile=0xbe23c8 | out: hFindFile=0xbe23c8) returned 1 [0108.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680500 | out: hHeap=0x2680000) returned 1 [0108.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.456] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Music", cAlternateFileName="")) returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2=".") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="..") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="...") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="windows") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="$RECYCLE.BIN") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="rsa") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="NTDETECT.COM") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="ntldr") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="MSDOS.SYS") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="IO.SYS") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="boot.ini") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="AUTOEXEC.BAT") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="ntuser.dat") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="desktop.ini") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="CONFIG.SYS") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="RECYCLER") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="BOOTSECT.BAK") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="bootmgr") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="programdata") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="appdata") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="program files") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="program files (x86)") returned -1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="microsoft") returned 1 [0108.456] lstrcmpiW (lpString1="Music", lpString2="sophos") returned -1 [0108.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0108.456] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e490 [0108.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e768 [0108.456] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.457] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Music\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2b08 [0108.457] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.457] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466d9b8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.457] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.457] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.457] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.457] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.457] FindNextFileW (in: hFindFile=0xbe2b08, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.457] FindClose (in: hFindFile=0xbe2b08 | out: hFindFile=0xbe2b08) returned 1 [0108.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0108.457] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e490 | out: hHeap=0x2680000) returned 1 [0108.457] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Pictures", cAlternateFileName="")) returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2=".") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="..") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="...") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="windows") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="$RECYCLE.BIN") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="rsa") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="NTDETECT.COM") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="ntldr") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="MSDOS.SYS") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="IO.SYS") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="boot.ini") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="AUTOEXEC.BAT") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="ntuser.dat") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="desktop.ini") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="CONFIG.SYS") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="RECYCLER") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="BOOTSECT.BAK") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="bootmgr") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="programdata") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="appdata") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="program files") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="program files (x86)") returned -1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="microsoft") returned 1 [0108.458] lstrcmpiW (lpString1="Pictures", lpString2="sophos") returned -1 [0108.458] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.458] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0108.458] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.458] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.458] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.458] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Pictures\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0108.459] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.459] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466e1ef, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.459] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.459] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.459] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.459] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.459] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.459] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0108.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.459] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.459] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2=".") returned 1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2="..") returned 1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2="...") returned 1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2="windows") returned -1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2="$RECYCLE.BIN") returned 1 [0108.459] lstrcmpiW (lpString1="Videos", lpString2="rsa") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="NTDETECT.COM") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="ntldr") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="MSDOS.SYS") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="IO.SYS") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="boot.ini") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="AUTOEXEC.BAT") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="ntuser.dat") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="desktop.ini") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="CONFIG.SYS") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="RECYCLER") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="BOOTSECT.BAK") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="bootmgr") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="programdata") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="appdata") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="program files") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="program files (x86)") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="microsoft") returned 1 [0108.460] lstrcmpiW (lpString1="Videos", lpString2="sophos") returned 1 [0108.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e458 [0108.460] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e6c0 [0108.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e538 [0108.460] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.460] FindFirstFileW (in: lpFileName="C:\\Users\\Public\\Videos\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0108.460] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.460] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="..", cAlternateFileName="")) returned 1 [0108.460] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.460] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.460] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0108.460] lstrcmpiW (lpString1="desktop.ini", lpString2=".") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="..") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="...") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="windows") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="rsa") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="NTDETECT.COM") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="ntldr") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="MSDOS.SYS") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="IO.SYS") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="boot.ini") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="ntuser.dat") returned -1 [0108.461] lstrcmpiW (lpString1="desktop.ini", lpString2="desktop.ini") returned 0 [0108.461] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x1aa2f0c2, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5fdc52c, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5fdc52c, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x17c, dwReserved0=0xa0000003, dwReserved1=0x1e00001e, cFileName="desktop.ini", cAlternateFileName="")) returned 0 [0108.461] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e538 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6c0 | out: hHeap=0x2680000) returned 1 [0108.461] FindNextFileW (in: hFindFile=0xbe2608, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xdc4d01, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xd466eabf, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x3816851, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Videos", cAlternateFileName="")) returned 0 [0108.461] FindClose (in: hFindFile=0xbe2608 | out: hFindFile=0xbe2608) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e458 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e0 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e618 | out: hHeap=0x2680000) returned 1 [0108.461] FindNextFileW (in: hFindFile=0xbe2848, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x17d53e9c, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x475e19ed, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475e19ed, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x9, cFileName="Public", cAlternateFileName="")) returned 0 [0108.461] FindClose (in: hFindFile=0xbe2848 | out: hFindFile=0xbe2848) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e420 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.461] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26820d0 | out: hHeap=0x2680000) returned 1 [0108.461] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0108.461] lstrcmpiW (lpString1="Windows", lpString2=".") returned 1 [0108.462] lstrcmpiW (lpString1="Windows", lpString2="..") returned 1 [0108.462] lstrcmpiW (lpString1="Windows", lpString2="...") returned 1 [0108.462] lstrcmpiW (lpString1="Windows", lpString2="windows") returned 0 [0108.462] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2=".") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="..") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="...") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="windows") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="$RECYCLE.BIN") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="rsa") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="NTDETECT.COM") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ntldr") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="MSDOS.SYS") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="IO.SYS") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="boot.ini") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="AUTOEXEC.BAT") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="ntuser.dat") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="desktop.ini") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="CONFIG.SYS") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="RECYCLER") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="BOOTSECT.BAK") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="bootmgr") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="programdata") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="appdata") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="program files") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="program files (x86)") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="microsoft") returned 1 [0108.462] lstrcmpiW (lpString1="Windows10Upgrade", lpString2="sophos") returned 1 [0108.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e620 [0108.462] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681478 | out: hHeap=0x2680000) returned 1 [0108.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e578 [0108.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e658 [0108.462] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0108.462] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\*.*", lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName=".", cAlternateFileName="")) returned 0xbe2588 [0108.506] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.506] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="..", cAlternateFileName="")) returned 1 [0108.506] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.506] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.506] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="2052", cAlternateFileName="")) returned 1 [0108.506] lstrcmpiW (lpString1="2052", lpString2=".") returned 1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="..") returned 1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="...") returned 1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="windows") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="$RECYCLE.BIN") returned 1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="rsa") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="NTDETECT.COM") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="ntldr") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="MSDOS.SYS") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="IO.SYS") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="boot.ini") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="AUTOEXEC.BAT") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="ntuser.dat") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="desktop.ini") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="CONFIG.SYS") returned -1 [0108.506] lstrcmpiW (lpString1="2052", lpString2="RECYCLER") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="BOOTSECT.BAK") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="bootmgr") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="programdata") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="appdata") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="program files") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="program files (x86)") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="microsoft") returned -1 [0108.507] lstrcmpiW (lpString1="2052", lpString2="sophos") returned -1 [0108.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.507] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0108.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.507] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.507] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\2052\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2408 [0108.507] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.507] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea35483d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea355be9, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.507] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.507] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.507] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2=".") returned 1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="..") returned 1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="...") returned 1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="windows") returned -1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="$RECYCLE.BIN") returned 1 [0108.507] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="rsa") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="NTDETECT.COM") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ntldr") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="MSDOS.SYS") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="IO.SYS") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="boot.ini") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="AUTOEXEC.BAT") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="ntuser.dat") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="desktop.ini") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="CONFIG.SYS") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="RECYCLER") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="BOOTSECT.BAK") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="bootmgr") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="programdata") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="appdata") returned 1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="program files") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="program files (x86)") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="microsoft") returned -1 [0108.508] lstrcmpiW (lpString1="DWINTL20.DLL", lpString2="sophos") returned -1 [0108.508] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.508] PathFindExtensionW (pszPath="DWINTL20.DLL") returned=".DLL" [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".exe") returned -1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".log") returned -1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".cab") returned 1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".cmd") returned 1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".com") returned 1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".cpl") returned 1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".ini") returned -1 [0108.508] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0108.508] FindNextFileW (in: hFindFile=0xbe2408, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea355be9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea355be9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DWINTL20.DLL", cAlternateFileName="")) returned 0 [0108.508] FindClose (in: hFindFile=0xbe2408 | out: hFindFile=0xbe2408) returned 1 [0108.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.509] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3659ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3659ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x704c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="appraiserxp.dll", cAlternateFileName="APPRAI~1.DLL")) returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2=".") returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="..") returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="...") returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="windows") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="rsa") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="NTDETECT.COM") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ntldr") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="MSDOS.SYS") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="IO.SYS") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="boot.ini") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="AUTOEXEC.BAT") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="ntuser.dat") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="desktop.ini") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="CONFIG.SYS") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="RECYCLER") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="BOOTSECT.BAK") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="bootmgr") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="programdata") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="appdata") returned 1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="program files") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="program files (x86)") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="microsoft") returned -1 [0108.509] lstrcmpiW (lpString1="appraiserxp.dll", lpString2="sophos") returned -1 [0108.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0108.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.509] PathFindExtensionW (pszPath="appraiserxp.dll") returned=".dll" [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.509] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.510] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.510] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36cf08, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36cf08, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x1cec8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="bootsect.exe", cAlternateFileName="")) returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2=".") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="..") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="...") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="windows") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="$RECYCLE.BIN") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="rsa") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="NTDETECT.COM") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="ntldr") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="MSDOS.SYS") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="IO.SYS") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="boot.ini") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="AUTOEXEC.BAT") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="ntuser.dat") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="desktop.ini") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="CONFIG.SYS") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="RECYCLER") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="BOOTSECT.BAK") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="bootmgr") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="programdata") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="appdata") returned 1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="program files") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="program files (x86)") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="microsoft") returned -1 [0108.510] lstrcmpiW (lpString1="bootsect.exe", lpString2="sophos") returned -1 [0108.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.510] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.510] PathFindExtensionW (pszPath="bootsect.exe") returned=".exe" [0108.510] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0108.510] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea350dad, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea350dad, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xb08c3ee, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0xd4, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="Configuration.ini", cAlternateFileName="CONFIG~1.INI")) returned 1 [0108.510] lstrcmpiW (lpString1="Configuration.ini", lpString2=".") returned 1 [0108.510] lstrcmpiW (lpString1="Configuration.ini", lpString2="..") returned 1 [0108.510] lstrcmpiW (lpString1="Configuration.ini", lpString2="...") returned 1 [0108.510] lstrcmpiW (lpString1="Configuration.ini", lpString2="windows") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="$RECYCLE.BIN") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="rsa") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="NTDETECT.COM") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="ntldr") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="MSDOS.SYS") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="IO.SYS") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="boot.ini") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="AUTOEXEC.BAT") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="ntuser.dat") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="desktop.ini") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="CONFIG.SYS") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="RECYCLER") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="BOOTSECT.BAK") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="bootmgr") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="programdata") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="appdata") returned 1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="program files") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="program files (x86)") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="microsoft") returned -1 [0108.511] lstrcmpiW (lpString1="Configuration.ini", lpString2="sophos") returned -1 [0108.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0108.511] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.511] PathFindExtensionW (pszPath="Configuration.ini") returned=".ini" [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".exe") returned 1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".log") returned -1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".cab") returned 1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".cmd") returned 1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".com") returned 1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".cpl") returned 1 [0108.511] lstrcmpiW (lpString1=".ini", lpString2=".ini") returned 0 [0108.511] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea36e29e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea36e29e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xf0c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="cosquery.dll", cAlternateFileName="")) returned 1 [0108.511] lstrcmpiW (lpString1="cosquery.dll", lpString2=".") returned 1 [0108.511] lstrcmpiW (lpString1="cosquery.dll", lpString2="..") returned 1 [0108.511] lstrcmpiW (lpString1="cosquery.dll", lpString2="...") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="windows") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="rsa") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="NTDETECT.COM") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="ntldr") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="MSDOS.SYS") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="IO.SYS") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="boot.ini") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="ntuser.dat") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="desktop.ini") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="CONFIG.SYS") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="RECYCLER") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="bootmgr") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="programdata") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="appdata") returned 1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="program files") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="program files (x86)") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="microsoft") returned -1 [0108.512] lstrcmpiW (lpString1="cosquery.dll", lpString2="sophos") returned -1 [0108.512] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.512] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0108.512] PathFindExtensionW (pszPath="cosquery.dll") returned=".dll" [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.512] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.512] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea370998, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea370998, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x508c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="DevInv.dll", cAlternateFileName="")) returned 1 [0108.512] lstrcmpiW (lpString1="DevInv.dll", lpString2=".") returned 1 [0108.512] lstrcmpiW (lpString1="DevInv.dll", lpString2="..") returned 1 [0108.512] lstrcmpiW (lpString1="DevInv.dll", lpString2="...") returned 1 [0108.512] lstrcmpiW (lpString1="DevInv.dll", lpString2="windows") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="rsa") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="NTDETECT.COM") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="ntldr") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="MSDOS.SYS") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="IO.SYS") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="boot.ini") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="ntuser.dat") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="desktop.ini") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="CONFIG.SYS") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="RECYCLER") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="bootmgr") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="programdata") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="appdata") returned 1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="program files") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="program files (x86)") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="microsoft") returned -1 [0108.513] lstrcmpiW (lpString1="DevInv.dll", lpString2="sophos") returned -1 [0108.513] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.513] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.513] PathFindExtensionW (pszPath="DevInv.dll") returned=".dll" [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.513] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.513] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea377ed3, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="dll1", cAlternateFileName="")) returned 1 [0108.513] lstrcmpiW (lpString1="dll1", lpString2=".") returned 1 [0108.513] lstrcmpiW (lpString1="dll1", lpString2="..") returned 1 [0108.513] lstrcmpiW (lpString1="dll1", lpString2="...") returned 1 [0108.513] lstrcmpiW (lpString1="dll1", lpString2="windows") returned -1 [0108.513] lstrcmpiW (lpString1="dll1", lpString2="$RECYCLE.BIN") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="rsa") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="NTDETECT.COM") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="ntldr") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="MSDOS.SYS") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="IO.SYS") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="boot.ini") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="AUTOEXEC.BAT") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="ntuser.dat") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="desktop.ini") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="CONFIG.SYS") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="RECYCLER") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="BOOTSECT.BAK") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="bootmgr") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="programdata") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="appdata") returned 1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="program files") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="program files (x86)") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="microsoft") returned -1 [0108.514] lstrcmpiW (lpString1="dll1", lpString2="sophos") returned -1 [0108.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.514] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll1\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37926f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2488 [0108.515] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.515] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3757e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37926f, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.515] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.515] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.515] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea376b75, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea376b75, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x204c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="cosqueryxp.dll", cAlternateFileName="COSQUE~1.DLL")) returned 1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2=".") returned 1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="..") returned 1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="...") returned 1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="windows") returned -1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="rsa") returned -1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="NTDETECT.COM") returned -1 [0108.515] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ntldr") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="MSDOS.SYS") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="IO.SYS") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="boot.ini") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="ntuser.dat") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="desktop.ini") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="CONFIG.SYS") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="RECYCLER") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="bootmgr") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="programdata") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="appdata") returned 1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="program files") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="program files (x86)") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="microsoft") returned -1 [0108.516] lstrcmpiW (lpString1="cosqueryxp.dll", lpString2="sophos") returned -1 [0108.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.516] PathFindExtensionW (pszPath="cosqueryxp.dll") returned=".dll" [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.516] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.516] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea377ed3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea377ed3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x3b0c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="wdscore.dll", cAlternateFileName="")) returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2=".") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="..") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="...") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="windows") returned -1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="rsa") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="NTDETECT.COM") returned 1 [0108.516] lstrcmpiW (lpString1="wdscore.dll", lpString2="ntldr") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="MSDOS.SYS") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="IO.SYS") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="boot.ini") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="ntuser.dat") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="desktop.ini") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="CONFIG.SYS") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="RECYCLER") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="bootmgr") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="programdata") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="appdata") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="program files") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="program files (x86)") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="microsoft") returned 1 [0108.517] lstrcmpiW (lpString1="wdscore.dll", lpString2="sophos") returned 1 [0108.517] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0108.517] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.517] PathFindExtensionW (pszPath="wdscore.dll") returned=".dll" [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.517] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.517] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="...") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="rsa") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="NTDETECT.COM") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="ntldr") returned 1 [0108.517] lstrcmpiW (lpString1="webservices.dll", lpString2="MSDOS.SYS") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="IO.SYS") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="boot.ini") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="ntuser.dat") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="desktop.ini") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="CONFIG.SYS") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="RECYCLER") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="programdata") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="appdata") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="program files") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="program files (x86)") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="microsoft") returned 1 [0108.518] lstrcmpiW (lpString1="webservices.dll", lpString2="sophos") returned 1 [0108.518] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.518] PathFindExtensionW (pszPath="webservices.dll") returned=".dll" [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.518] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.518] FindNextFileW (in: hFindFile=0xbe2488, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37926f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37926f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xe9ec8, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0108.518] FindClose (in: hFindFile=0xbe2488 | out: hFindFile=0xbe2488) returned 1 [0108.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.518] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.518] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37cd05, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="dll2", cAlternateFileName="")) returned 1 [0108.518] lstrcmpiW (lpString1="dll2", lpString2=".") returned 1 [0108.518] lstrcmpiW (lpString1="dll2", lpString2="..") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="...") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="windows") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="$RECYCLE.BIN") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="rsa") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="NTDETECT.COM") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="ntldr") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="MSDOS.SYS") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="IO.SYS") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="boot.ini") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="AUTOEXEC.BAT") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="ntuser.dat") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="desktop.ini") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="CONFIG.SYS") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="RECYCLER") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="BOOTSECT.BAK") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="bootmgr") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="programdata") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="appdata") returned 1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="program files") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="program files (x86)") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="microsoft") returned -1 [0108.519] lstrcmpiW (lpString1="dll2", lpString2="sophos") returned -1 [0108.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.519] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.519] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26812c0 [0108.519] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\dll2\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37e09b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2348 [0108.521] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.521] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea37cd05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37cd05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea37e09b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.521] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.521] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.521] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2=".") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="..") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="...") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="windows") returned -1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="rsa") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="NTDETECT.COM") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="ntldr") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="MSDOS.SYS") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="IO.SYS") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="boot.ini") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="ntuser.dat") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="desktop.ini") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="CONFIG.SYS") returned 1 [0108.521] lstrcmpiW (lpString1="webservices.dll", lpString2="RECYCLER") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="bootmgr") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="programdata") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="appdata") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="program files") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="program files (x86)") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="microsoft") returned 1 [0108.522] lstrcmpiW (lpString1="webservices.dll", lpString2="sophos") returned 1 [0108.522] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.522] PathFindExtensionW (pszPath="webservices.dll") returned=".dll" [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.522] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.522] FindNextFileW (in: hFindFile=0xbe2348, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea37e09b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea37e09b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xb8400, dwReserved0=0x0, dwReserved1=0x0, cFileName="webservices.dll", cAlternateFileName="WEBSER~1.DLL")) returned 0 [0108.522] FindClose (in: hFindFile=0xbe2348 | out: hFindFile=0xbe2348) returned 1 [0108.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.522] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.522] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea380798, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea380798, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x326c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="downloader.dll", cAlternateFileName="DOWNLO~1.DLL")) returned 1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2=".") returned 1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="..") returned 1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="...") returned 1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="windows") returned -1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="rsa") returned -1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="NTDETECT.COM") returned -1 [0108.522] lstrcmpiW (lpString1="downloader.dll", lpString2="ntldr") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="MSDOS.SYS") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="IO.SYS") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="boot.ini") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="ntuser.dat") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="desktop.ini") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="CONFIG.SYS") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="RECYCLER") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="bootmgr") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="programdata") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="appdata") returned 1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="program files") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="program files (x86)") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="microsoft") returned -1 [0108.523] lstrcmpiW (lpString1="downloader.dll", lpString2="sophos") returned -1 [0108.523] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0108.523] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.523] PathFindExtensionW (pszPath="downloader.dll") returned=".dll" [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.523] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.523] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea381b2a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea381b2a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9d2c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="DW20.EXE", cAlternateFileName="")) returned 1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2=".") returned 1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="..") returned 1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="...") returned 1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="windows") returned -1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="$RECYCLE.BIN") returned 1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="rsa") returned -1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="NTDETECT.COM") returned -1 [0108.523] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntldr") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="MSDOS.SYS") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="IO.SYS") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="boot.ini") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="ntuser.dat") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="desktop.ini") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="CONFIG.SYS") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="RECYCLER") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="BOOTSECT.BAK") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="bootmgr") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="programdata") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="appdata") returned 1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="program files (x86)") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="microsoft") returned -1 [0108.524] lstrcmpiW (lpString1="DW20.EXE", lpString2="sophos") returned -1 [0108.524] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.524] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.524] PathFindExtensionW (pszPath="DW20.EXE") returned=".EXE" [0108.524] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0108.524] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea385605, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea385605, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xc2c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="DWDCW20.DLL", cAlternateFileName="")) returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2=".") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="..") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="...") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="windows") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="$RECYCLE.BIN") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="rsa") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="NTDETECT.COM") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ntldr") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="MSDOS.SYS") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="IO.SYS") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="boot.ini") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="AUTOEXEC.BAT") returned 1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="ntuser.dat") returned -1 [0108.524] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="desktop.ini") returned 1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="CONFIG.SYS") returned 1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="RECYCLER") returned -1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="BOOTSECT.BAK") returned 1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="bootmgr") returned 1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="programdata") returned -1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="appdata") returned 1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="program files") returned -1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="program files (x86)") returned -1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="microsoft") returned -1 [0108.525] lstrcmpiW (lpString1="DWDCW20.DLL", lpString2="sophos") returned -1 [0108.525] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.525] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0108.525] PathFindExtensionW (pszPath="DWDCW20.DLL") returned=".DLL" [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".exe") returned -1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".log") returned -1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".cab") returned 1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".cmd") returned 1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".com") returned 1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".cpl") returned 1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".ini") returned -1 [0108.525] lstrcmpiW (lpString1=".DLL", lpString2=".dll") returned 0 [0108.525] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea386943, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea386943, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xb2c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="DWTRIG20.EXE", cAlternateFileName="")) returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2=".") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="..") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="...") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="windows") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="$RECYCLE.BIN") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="rsa") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="NTDETECT.COM") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ntldr") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="MSDOS.SYS") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="IO.SYS") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="boot.ini") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="ntuser.dat") returned -1 [0108.525] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="desktop.ini") returned 1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="CONFIG.SYS") returned 1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="RECYCLER") returned -1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="BOOTSECT.BAK") returned 1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="bootmgr") returned 1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="programdata") returned -1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="appdata") returned 1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="program files") returned -1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="program files (x86)") returned -1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="microsoft") returned -1 [0108.526] lstrcmpiW (lpString1="DWTRIG20.EXE", lpString2="sophos") returned -1 [0108.526] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0108.526] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.526] PathFindExtensionW (pszPath="DWTRIG20.EXE") returned=".EXE" [0108.526] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0108.526] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea387cd0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea387cd0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2652, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="EnableWiFiTracing.cmd", cAlternateFileName="ENABLE~1.CMD")) returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2=".") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="..") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="...") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="windows") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="$RECYCLE.BIN") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="rsa") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="NTDETECT.COM") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ntldr") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="MSDOS.SYS") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="IO.SYS") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="boot.ini") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="ntuser.dat") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="desktop.ini") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="CONFIG.SYS") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="RECYCLER") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="BOOTSECT.BAK") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="bootmgr") returned 1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="programdata") returned -1 [0108.526] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="appdata") returned 1 [0108.527] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="program files") returned -1 [0108.527] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="program files (x86)") returned -1 [0108.527] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="microsoft") returned -1 [0108.527] lstrcmpiW (lpString1="EnableWiFiTracing.cmd", lpString2="sophos") returned -1 [0108.527] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.527] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.527] PathFindExtensionW (pszPath="EnableWiFiTracing.cmd") returned=".cmd" [0108.527] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0108.527] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0108.527] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0108.527] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0108.527] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea389060, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea389060, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x10cc8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="ESDHelper.dll", cAlternateFileName="ESDHEL~1.DLL")) returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2=".") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="..") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="...") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="windows") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="rsa") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="NTDETECT.COM") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ntldr") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="MSDOS.SYS") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="IO.SYS") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="boot.ini") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="ntuser.dat") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="desktop.ini") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="CONFIG.SYS") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="RECYCLER") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="bootmgr") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="programdata") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="appdata") returned 1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="program files") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="program files (x86)") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="microsoft") returned -1 [0108.527] lstrcmpiW (lpString1="ESDHelper.dll", lpString2="sophos") returned -1 [0108.528] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0108.528] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.528] PathFindExtensionW (pszPath="ESDHelper.dll") returned=".dll" [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.528] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.528] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38cadd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38cadd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x9ec8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="esdstub.dll", cAlternateFileName="")) returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2=".") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="..") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="...") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="windows") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="rsa") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="NTDETECT.COM") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="ntldr") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="MSDOS.SYS") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="IO.SYS") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="boot.ini") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="ntuser.dat") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="desktop.ini") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="CONFIG.SYS") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="RECYCLER") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="bootmgr") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="programdata") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="appdata") returned 1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="program files") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="program files (x86)") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="microsoft") returned -1 [0108.528] lstrcmpiW (lpString1="esdstub.dll", lpString2="sophos") returned -1 [0108.529] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.529] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0108.529] PathFindExtensionW (pszPath="esdstub.dll") returned=".dll" [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.529] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.529] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea38de7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea38de7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x89ec8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="GatherOSState.EXE", cAlternateFileName="GATHER~1.EXE")) returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2=".") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="..") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="...") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="windows") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="$RECYCLE.BIN") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="rsa") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="NTDETECT.COM") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ntldr") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="MSDOS.SYS") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="IO.SYS") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="boot.ini") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="ntuser.dat") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="desktop.ini") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="CONFIG.SYS") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="RECYCLER") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="BOOTSECT.BAK") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="bootmgr") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="programdata") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="appdata") returned 1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="program files") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="program files (x86)") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="microsoft") returned -1 [0108.529] lstrcmpiW (lpString1="GatherOSState.EXE", lpString2="sophos") returned -1 [0108.530] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2681278 [0108.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0108.530] PathFindExtensionW (pszPath="GatherOSState.EXE") returned=".EXE" [0108.530] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0108.530] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39058e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39058e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x83cc8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="GetCurrentDeploy.dll", cAlternateFileName="GETCUR~1.DLL")) returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2=".") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="..") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="...") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="windows") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="rsa") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="NTDETECT.COM") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ntldr") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="MSDOS.SYS") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="IO.SYS") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="boot.ini") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="ntuser.dat") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="desktop.ini") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="CONFIG.SYS") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="RECYCLER") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="bootmgr") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="programdata") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="appdata") returned 1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="program files") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="program files (x86)") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="microsoft") returned -1 [0108.530] lstrcmpiW (lpString1="GetCurrentDeploy.dll", lpString2="sophos") returned -1 [0108.530] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.530] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0108.530] PathFindExtensionW (pszPath="GetCurrentDeploy.dll") returned=".dll" [0108.530] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.530] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.530] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.531] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea392ca4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea392ca4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x232c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="GetCurrentOOBE.dll", cAlternateFileName="GETCUR~2.DLL")) returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2=".") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="..") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="...") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="windows") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="$RECYCLE.BIN") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="rsa") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="NTDETECT.COM") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntldr") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="MSDOS.SYS") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="IO.SYS") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="boot.ini") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="AUTOEXEC.BAT") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="ntuser.dat") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="desktop.ini") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="CONFIG.SYS") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="RECYCLER") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="BOOTSECT.BAK") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="bootmgr") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="programdata") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="appdata") returned 1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="program files (x86)") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="microsoft") returned -1 [0108.531] lstrcmpiW (lpString1="GetCurrentOOBE.dll", lpString2="sophos") returned -1 [0108.531] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0108.531] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.531] PathFindExtensionW (pszPath="GetCurrentOOBE.dll") returned=".dll" [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0108.531] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0108.532] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0108.532] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0108.532] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0108.532] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0108.532] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0108.532] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39539e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39539e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x11ec8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="GetCurrentRollback.EXE", cAlternateFileName="GETCUR~1.EXE")) returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2=".") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="..") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="...") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="windows") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="$RECYCLE.BIN") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="rsa") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="NTDETECT.COM") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ntldr") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="MSDOS.SYS") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="IO.SYS") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="boot.ini") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="AUTOEXEC.BAT") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="ntuser.dat") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="desktop.ini") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="CONFIG.SYS") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="RECYCLER") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="BOOTSECT.BAK") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="bootmgr") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="programdata") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="appdata") returned 1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="program files") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="program files (x86)") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="microsoft") returned -1 [0108.532] lstrcmpiW (lpString1="GetCurrentRollback.EXE", lpString2="sophos") returned -1 [0108.532] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x26804b8 [0108.532] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0108.532] PathFindExtensionW (pszPath="GetCurrentRollback.EXE") returned=".EXE" [0108.532] lstrcmpiW (lpString1=".EXE", lpString2=".exe") returned 0 [0108.532] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39673d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39673d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfa216a00, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x6cc8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="HttpHelper.exe", cAlternateFileName="HTTPHE~1.EXE")) returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2=".") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="..") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="...") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="windows") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="$RECYCLE.BIN") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="rsa") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="NTDETECT.COM") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ntldr") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="MSDOS.SYS") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="IO.SYS") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="boot.ini") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="AUTOEXEC.BAT") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="ntuser.dat") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="desktop.ini") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="CONFIG.SYS") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="RECYCLER") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="BOOTSECT.BAK") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="bootmgr") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="programdata") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="appdata") returned 1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="program files") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="program files (x86)") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="microsoft") returned -1 [0108.533] lstrcmpiW (lpString1="HttpHelper.exe", lpString2="sophos") returned -1 [0108.533] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680520 [0108.533] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.533] PathFindExtensionW (pszPath="HttpHelper.exe") returned=".exe" [0108.533] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0108.533] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x54acc791, ftCreationTime.dwHighDateTime=0x1d3273a, ftLastAccessTime.dwLowDateTime=0x54acc791, ftLastAccessTime.dwHighDateTime=0x1d3273a, ftLastWriteTime.dwLowDateTime=0x54acc791, ftLastWriteTime.dwHighDateTime=0x1d3273a, nFileSizeHigh=0x0, nFileSizeLow=0x241, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="PostOOBEScript.cmd", cAlternateFileName="POSTOO~1.CMD")) returned 1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2=".") returned 1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="..") returned 1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="...") returned 1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="windows") returned -1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="$RECYCLE.BIN") returned 1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="rsa") returned -1 [0108.533] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="NTDETECT.COM") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ntldr") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="MSDOS.SYS") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="IO.SYS") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="boot.ini") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="AUTOEXEC.BAT") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="ntuser.dat") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="desktop.ini") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="CONFIG.SYS") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="RECYCLER") returned -1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="BOOTSECT.BAK") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="bootmgr") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="programdata") returned -1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="appdata") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="program files") returned -1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="program files (x86)") returned -1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="microsoft") returned 1 [0108.534] lstrcmpiW (lpString1="PostOOBEScript.cmd", lpString2="sophos") returned -1 [0108.534] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.534] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680520 | out: hHeap=0x2680000) returned 1 [0108.534] PathFindExtensionW (pszPath="PostOOBEScript.cmd") returned=".cmd" [0108.534] lstrcmpiW (lpString1=".cmd", lpString2=".exe") returned -1 [0108.534] lstrcmpiW (lpString1=".cmd", lpString2=".log") returned -1 [0108.534] lstrcmpiW (lpString1=".cmd", lpString2=".cab") returned 1 [0108.534] lstrcmpiW (lpString1=".cmd", lpString2=".cmd") returned 0 [0108.534] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="resources", cAlternateFileName="RESOUR~1")) returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2=".") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="..") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="...") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="windows") returned -1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="$RECYCLE.BIN") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="rsa") returned -1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="NTDETECT.COM") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="ntldr") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="MSDOS.SYS") returned 1 [0108.534] lstrcmpiW (lpString1="resources", lpString2="IO.SYS") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="boot.ini") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="AUTOEXEC.BAT") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="ntuser.dat") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="desktop.ini") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="CONFIG.SYS") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="RECYCLER") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="BOOTSECT.BAK") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="bootmgr") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="programdata") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="appdata") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="program files") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="program files (x86)") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="microsoft") returned 1 [0108.535] lstrcmpiW (lpString1="resources", lpString2="sophos") returned -1 [0108.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0108.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0108.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2681278 [0108.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0108.535] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\*.*", lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2988 [0108.536] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.536] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b3c1b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b3c1b, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.536] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.536] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.536] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a5195, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="amd64", cAlternateFileName="")) returned 1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2=".") returned 1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="..") returned 1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="...") returned 1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="windows") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="$RECYCLE.BIN") returned 1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="rsa") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="NTDETECT.COM") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="ntldr") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="MSDOS.SYS") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="IO.SYS") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="boot.ini") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="AUTOEXEC.BAT") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="ntuser.dat") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="desktop.ini") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="CONFIG.SYS") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="RECYCLER") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="BOOTSECT.BAK") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="bootmgr") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="programdata") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="appdata") returned -1 [0108.536] lstrcmpiW (lpString1="amd64", lpString2="program files") returned -1 [0108.537] lstrcmpiW (lpString1="amd64", lpString2="program files (x86)") returned -1 [0108.537] lstrcmpiW (lpString1="amd64", lpString2="microsoft") returned -1 [0108.537] lstrcmpiW (lpString1="amd64", lpString2="sophos") returned -1 [0108.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0108.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0108.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0108.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e6f0 [0108.537] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a652e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2548 [0108.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0108.538] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea398e53, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a5195, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3a652e, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0108.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0108.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0108.538] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39b5b0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39b5b0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16ebc, dwReserved0=0x0, dwReserved1=0x0, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0108.538] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0108.538] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="...") returned 1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="$RECYCLE.BIN") returned 1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="rsa") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTDETECT.COM") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntldr") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="MSDOS.SYS") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="IO.SYS") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot.ini") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntuser.dat") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="desktop.ini") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="CONFIG.SYS") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="RECYCLER") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="BOOTSECT.BAK") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="programdata") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="appdata") returned 1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files (x86)") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="microsoft") returned -1 [0108.539] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="sophos") returned -1 [0108.539] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e748 [0108.539] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0108.539] PathFindExtensionW (pszPath="BiosBlocks.xml") returned=".xml" [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0108.539] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0108.540] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0108.540] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.540] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0108.540] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.611] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=93884) returned 1 [0108.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4370 [0108.611] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.611] SystemFunction036 (in: RandomBuffer=0x29d4370, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4370) returned 1 [0108.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0108.611] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0108.611] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.674] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.675] GetTickCount () returned 0x115c4a4 [0108.675] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e460 [0108.675] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e460 | out: hHeap=0x2680000) returned 1 [0108.675] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16ebc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.675] SetLastError (dwErrCode=0x0) [0108.675] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.678] GetLastError () returned 0x0 [0108.678] GetLastError () returned 0x0 [0108.678] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16fbc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.678] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.679] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x170bc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3bc56df6, dwHighDateTime=0x1d5f971)) [0108.679] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e6f0 [0108.679] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0108.679] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.679] GetProcessHeap () returned 0xbc0000 [0108.679] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16ebc) returned 0xbf1630 [0108.679] GetSystemDefaultLangID () returned 0xbd0409 [0108.679] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.679] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x16ebc, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x16ebc, lpOverlapped=0x0) returned 1 [0108.689] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.689] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x16ebc, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x16ebc, lpOverlapped=0x0) returned 1 [0108.690] GetProcessHeap () returned 0xbc0000 [0108.690] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0108.690] CloseHandle (hObject=0x26c) returned 1 [0108.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0108.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0108.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4370 | out: hHeap=0x2680000) returned 1 [0108.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0108.690] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\BiosBlocks.xml.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\biosblocks.xml.nefilim")) returned 1 [0108.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0108.691] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.691] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39c8ec, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39c8ec, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x11daf, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="...") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="$RECYCLE.BIN") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="rsa") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTDETECT.COM") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntldr") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="MSDOS.SYS") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="IO.SYS") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot.ini") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="AUTOEXEC.BAT") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntuser.dat") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="desktop.ini") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="CONFIG.SYS") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="RECYCLER") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="BOOTSECT.BAK") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="programdata") returned -1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="appdata") returned 1 [0108.691] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files") returned -1 [0108.694] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files (x86)") returned -1 [0108.694] lstrcmpiW (lpString1="hwcompat.txt", lpString2="microsoft") returned -1 [0108.694] lstrcmpiW (lpString1="hwcompat.txt", lpString2="sophos") returned -1 [0108.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0108.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e748 | out: hHeap=0x2680000) returned 1 [0108.694] PathFindExtensionW (pszPath="hwcompat.txt") returned=".txt" [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0108.694] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0108.695] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0108.695] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0108.695] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0108.695] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0108.695] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.695] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=73135) returned 1 [0108.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4208 [0108.695] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.695] SystemFunction036 (in: RandomBuffer=0x29d4208, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4208) returned 1 [0108.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0108.695] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0108.695] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.696] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.697] GetTickCount () returned 0x115c4c3 [0108.697] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3f0 [0108.697] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f0 | out: hHeap=0x2680000) returned 1 [0108.697] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11daf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.697] SetLastError (dwErrCode=0x0) [0108.697] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.699] GetLastError () returned 0x0 [0108.699] GetLastError () returned 0x0 [0108.699] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11eaf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.699] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.699] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11faf, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.699] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3bc7d0f1, dwHighDateTime=0x1d5f971)) [0108.700] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0108.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0108.700] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.700] GetProcessHeap () returned 0xbc0000 [0108.700] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x11daf) returned 0xbf1630 [0108.701] GetSystemDefaultLangID () returned 0xbd0409 [0108.701] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.701] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x11daf, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x11daf, lpOverlapped=0x0) returned 1 [0108.706] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.706] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x11daf, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x11daf, lpOverlapped=0x0) returned 1 [0108.706] GetProcessHeap () returned 0xbc0000 [0108.706] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0108.706] CloseHandle (hObject=0x26c) returned 1 [0108.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0108.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0108.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.706] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4208 | out: hHeap=0x2680000) returned 1 [0108.706] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0108.707] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwcompat.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwcompat.txt.nefilim")) returned 1 [0108.763] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0108.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0108.764] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39dcc9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39dcc9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x90d, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="...") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="$RECYCLE.BIN") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="rsa") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTDETECT.COM") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntldr") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="MSDOS.SYS") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="IO.SYS") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot.ini") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="AUTOEXEC.BAT") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntuser.dat") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="desktop.ini") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="CONFIG.SYS") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="RECYCLER") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="BOOTSECT.BAK") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="programdata") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="appdata") returned 1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files (x86)") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="microsoft") returned -1 [0108.764] lstrcmpiW (lpString1="hwexclude.txt", lpString2="sophos") returned -1 [0108.764] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0108.764] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.764] PathFindExtensionW (pszPath="hwexclude.txt") returned=".txt" [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0108.765] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0108.765] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.765] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0108.765] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.766] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=2317) returned 1 [0108.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4178 [0108.766] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.766] SystemFunction036 (in: RandomBuffer=0x29d4178, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4178) returned 1 [0108.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0108.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0108.766] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.766] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.766] GetTickCount () returned 0x115c502 [0108.766] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0108.766] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0108.766] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x90d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.766] SetLastError (dwErrCode=0x0) [0108.766] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.768] GetLastError () returned 0x0 [0108.768] GetLastError () returned 0x0 [0108.768] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.768] WriteFile (in: hFile=0x26c, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.768] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.768] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3bd15aa7, dwHighDateTime=0x1d5f971)) [0108.768] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0108.768] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0108.768] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.768] GetProcessHeap () returned 0xbc0000 [0108.769] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x90d) returned 0xbe3f48 [0108.769] GetSystemDefaultLangID () returned 0xbd0409 [0108.769] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.769] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x90d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x90d, lpOverlapped=0x0) returned 1 [0108.769] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.769] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x90d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x90d, lpOverlapped=0x0) returned 1 [0108.769] GetProcessHeap () returned 0xbc0000 [0108.769] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0108.769] CloseHandle (hObject=0x26c) returned 1 [0108.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0108.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0108.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.769] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4178 | out: hHeap=0x2680000) returned 1 [0108.769] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0108.769] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\hwexclude.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\hwexclude.txt.nefilim")) returned 1 [0108.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0108.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.843] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea39eff9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea39eff9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x26b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="...") returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="$RECYCLE.BIN") returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="rsa") returned -1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTDETECT.COM") returned 1 [0108.843] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntldr") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="MSDOS.SYS") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="IO.SYS") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot.ini") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="AUTOEXEC.BAT") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntuser.dat") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="desktop.ini") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="CONFIG.SYS") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="RECYCLER") returned -1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="BOOTSECT.BAK") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="programdata") returned -1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="appdata") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files") returned -1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files (x86)") returned -1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="microsoft") returned 1 [0108.844] lstrcmpiW (lpString1="nxquery.cat", lpString2="sophos") returned -1 [0108.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0108.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0108.844] PathFindExtensionW (pszPath="nxquery.cat") returned=".cat" [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".exe") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".log") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".cab") returned 1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".cmd") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".com") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".cpl") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".url") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".ttf") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".mp3") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".pif") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".mp4") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".NEFILIM") returned -1 [0108.844] lstrcmpiW (lpString1=".cat", lpString2=".msi") returned -1 [0108.845] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0108.846] lstrcmpiW (lpString1="nxquery.cat", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0108.846] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.855] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=9910) returned 1 [0108.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4430 [0108.855] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.855] SystemFunction036 (in: RandomBuffer=0x29d4430, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4430) returned 1 [0108.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0108.855] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0108.856] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.857] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.859] GetTickCount () returned 0x115c560 [0108.859] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0108.859] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0108.859] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x26b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.859] SetLastError (dwErrCode=0x0) [0108.859] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.861] GetLastError () returned 0x0 [0108.861] GetLastError () returned 0x0 [0108.861] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x27b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.861] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.861] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x28b6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.861] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3bdff218, dwHighDateTime=0x1d5f971)) [0108.861] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0108.861] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.861] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.861] GetProcessHeap () returned 0xbc0000 [0108.861] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x26b6) returned 0xbf1630 [0108.861] GetSystemDefaultLangID () returned 0xbd0409 [0108.861] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.861] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x26b6, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x26b6, lpOverlapped=0x0) returned 1 [0108.863] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.863] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x26b6, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x26b6, lpOverlapped=0x0) returned 1 [0108.863] GetProcessHeap () returned 0xbc0000 [0108.863] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0108.863] CloseHandle (hObject=0x26c) returned 1 [0108.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0108.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0108.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4430 | out: hHeap=0x2680000) returned 1 [0108.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0108.863] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.cat.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.cat.nefilim")) returned 1 [0108.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.864] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.864] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a3e27, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a3e27, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="...") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="$RECYCLE.BIN") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="rsa") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTDETECT.COM") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntldr") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="MSDOS.SYS") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="IO.SYS") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot.ini") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="AUTOEXEC.BAT") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntuser.dat") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="desktop.ini") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="CONFIG.SYS") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="RECYCLER") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="BOOTSECT.BAK") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="programdata") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="appdata") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files (x86)") returned -1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="microsoft") returned 1 [0108.864] lstrcmpiW (lpString1="nxquery.inf", lpString2="sophos") returned -1 [0108.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0108.865] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.865] PathFindExtensionW (pszPath="nxquery.inf") returned=".inf" [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".exe") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".log") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".cab") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".cmd") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".com") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".cpl") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".url") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".ttf") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".mp3") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".pif") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".mp4") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".NEFILIM") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".msi") returned -1 [0108.865] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0108.865] lstrcmpiW (lpString1="nxquery.inf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0108.865] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.866] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1495) returned 1 [0108.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40d0 [0108.866] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.866] SystemFunction036 (in: RandomBuffer=0x29d40d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40d0) returned 1 [0108.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0108.866] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0108.866] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.867] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.867] GetTickCount () returned 0x115c56f [0108.867] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e540 [0108.867] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e540 | out: hHeap=0x2680000) returned 1 [0108.867] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.867] SetLastError (dwErrCode=0x0) [0108.867] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.869] GetLastError () returned 0x0 [0108.869] GetLastError () returned 0x0 [0108.869] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.869] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.869] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.869] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3be254fb, dwHighDateTime=0x1d5f971)) [0108.869] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0108.869] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.869] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.869] GetProcessHeap () returned 0xbc0000 [0108.869] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5d7) returned 0xbe3f48 [0108.869] GetSystemDefaultLangID () returned 0xbd0409 [0108.869] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.869] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x5d7, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x5d7, lpOverlapped=0x0) returned 1 [0108.869] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.869] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x5d7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x5d7, lpOverlapped=0x0) returned 1 [0108.870] GetProcessHeap () returned 0xbc0000 [0108.870] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0108.870] CloseHandle (hObject=0x26c) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40d0 | out: hHeap=0x2680000) returned 1 [0108.870] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0108.870] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\nxquery.inf.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.inf.nefilim")) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.870] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.870] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="...") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="$RECYCLE.BIN") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="rsa") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTDETECT.COM") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntldr") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="MSDOS.SYS") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="IO.SYS") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot.ini") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="AUTOEXEC.BAT") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntuser.dat") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="desktop.ini") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="CONFIG.SYS") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="RECYCLER") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="BOOTSECT.BAK") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="programdata") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="appdata") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files (x86)") returned -1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="microsoft") returned 1 [0108.871] lstrcmpiW (lpString1="NXQuery.sys", lpString2="sophos") returned -1 [0108.871] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0108.871] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.871] PathFindExtensionW (pszPath="NXQuery.sys") returned=".sys" [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0108.871] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0108.872] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0108.872] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0108.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0108.872] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0108.872] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=20656) returned 1 [0108.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4370 [0108.872] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.872] SystemFunction036 (in: RandomBuffer=0x29d4370, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4370) returned 1 [0108.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0108.872] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0108.872] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0108.873] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0108.873] GetTickCount () returned 0x115c56f [0108.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e8 [0108.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e8 | out: hHeap=0x2680000) returned 1 [0108.873] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x50b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.873] SetLastError (dwErrCode=0x0) [0108.873] WriteFile (in: hFile=0x26c, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.875] GetLastError () returned 0x0 [0108.875] GetLastError () returned 0x0 [0108.875] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x51b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.875] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0108.875] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.875] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3be254fb, dwHighDateTime=0x1d5f971)) [0108.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0108.875] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.875] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0108.875] GetProcessHeap () returned 0xbc0000 [0108.875] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x50b0) returned 0xbf1630 [0108.875] GetSystemDefaultLangID () returned 0xbd0409 [0108.875] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.875] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x50b0, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x50b0, lpOverlapped=0x0) returned 1 [0108.877] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.877] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x50b0, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x50b0, lpOverlapped=0x0) returned 1 [0108.877] GetProcessHeap () returned 0xbc0000 [0108.877] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0108.877] CloseHandle (hObject=0x26c) returned 1 [0108.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0108.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0108.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0108.877] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4370 | out: hHeap=0x2680000) returned 1 [0108.877] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0108.878] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys"), lpNewFileName="C:\\Windows10Upgrade\\resources\\amd64\\NXQuery.sys.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\amd64\\nxquery.sys.nefilim")) returned 1 [0108.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0108.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0108.878] FindNextFileW (in: hFindFile=0xbe2548, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a652e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a652e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x50b0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0108.878] FindClose (in: hFindFile=0xbe2548 | out: hFindFile=0xbe2548) returned 1 [0108.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0108.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0108.878] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0108.878] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3a78b4, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3a78b4, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xc981b, dwReserved0=0x0, dwReserved1=0x0, cFileName="hwcompatShared.txt", cAlternateFileName="HWCOMP~1.TXT")) returned 1 [0108.878] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2=".") returned 1 [0108.878] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="..") returned 1 [0108.878] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="...") returned 1 [0108.878] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="windows") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="$RECYCLE.BIN") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="rsa") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NTDETECT.COM") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ntldr") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="MSDOS.SYS") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="IO.SYS") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="boot.ini") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="AUTOEXEC.BAT") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="ntuser.dat") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="desktop.ini") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="CONFIG.SYS") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="RECYCLER") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="BOOTSECT.BAK") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="bootmgr") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="programdata") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="appdata") returned 1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="program files") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="program files (x86)") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="microsoft") returned -1 [0108.879] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="sophos") returned -1 [0108.879] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x2680510 [0108.879] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.879] PathFindExtensionW (pszPath="hwcompatShared.txt") returned=".txt" [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0108.879] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0108.880] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0108.880] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0108.880] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0108.880] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0108.880] lstrcmpiW (lpString1="hwcompatShared.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0108.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0108.880] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23c [0108.880] GetFileSizeEx (in: hFile=0x23c, lpFileSize=0x25bee18 | out: lpFileSize=0x25bee18*=825371) returned 1 [0108.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0108.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4268 [0108.880] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0108.880] SystemFunction036 (in: RandomBuffer=0x29d4268, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4268) returned 1 [0108.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0108.880] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0108.880] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25bedd8*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25bedd8*=0x100) returned 1 [0108.881] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25bedd4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25bedd4*=0x100) returned 1 [0108.882] GetTickCount () returned 0x115c57f [0108.882] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e348 [0108.882] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e348 | out: hHeap=0x2680000) returned 1 [0108.882] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc981b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.882] SetLastError (dwErrCode=0x0) [0108.882] WriteFile (in: hFile=0x23c, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0108.883] GetLastError () returned 0x0 [0108.883] GetLastError () returned 0x0 [0108.883] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc991b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.883] WriteFile (in: hFile=0x23c, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25bee30*=0x100, lpOverlapped=0x0) returned 1 [0108.883] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0xc9a1b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.884] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25bedec | out: lpSystemTimeAsFileTime=0x25bedec*(dwLowDateTime=0x3be4b6bb, dwHighDateTime=0x1d5f971)) [0108.884] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26804b8 [0108.884] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0108.884] WriteFile (in: hFile=0x23c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25bee30*=0x7, lpOverlapped=0x0) returned 1 [0108.884] GetProcessHeap () returned 0xbc0000 [0108.884] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xc981b) returned 0xa34020 [0108.886] GetSystemDefaultLangID () returned 0xbd0409 [0108.886] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0108.886] ReadFile (in: hFile=0x23c, lpBuffer=0xa34020, nNumberOfBytesToRead=0xc981b, lpNumberOfBytesRead=0x25bee3c, lpOverlapped=0x0 | out: lpBuffer=0xa34020*, lpNumberOfBytesRead=0x25bee3c*=0xc981b, lpOverlapped=0x0) returned 1 [0109.003] SetFilePointerEx (in: hFile=0x23c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.003] WriteFile (in: hFile=0x23c, lpBuffer=0xa34020*, nNumberOfBytesToWrite=0xc981b, lpNumberOfBytesWritten=0x25bee30, lpOverlapped=0x0 | out: lpBuffer=0xa34020*, lpNumberOfBytesWritten=0x25bee30*=0xc981b, lpOverlapped=0x0) returned 1 [0109.005] GetProcessHeap () returned 0xbc0000 [0109.005] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xa34020 | out: hHeap=0xbc0000) returned 1 [0109.073] CloseHandle (hObject=0x23c) returned 1 [0109.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0109.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0109.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4268 | out: hHeap=0x2680000) returned 1 [0109.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e768 [0109.073] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\hwcompatShared.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\hwcompatshared.txt.nefilim")) returned 1 [0109.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.074] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b1515, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="i386", cAlternateFileName="")) returned 1 [0109.074] lstrcmpiW (lpString1="i386", lpString2=".") returned 1 [0109.074] lstrcmpiW (lpString1="i386", lpString2="..") returned 1 [0109.074] lstrcmpiW (lpString1="i386", lpString2="...") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="windows") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="$RECYCLE.BIN") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="rsa") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="NTDETECT.COM") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="ntldr") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="MSDOS.SYS") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="IO.SYS") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="boot.ini") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="AUTOEXEC.BAT") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="ntuser.dat") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="desktop.ini") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="CONFIG.SYS") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="RECYCLER") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="BOOTSECT.BAK") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="bootmgr") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="programdata") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="appdata") returned 1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="program files") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="program files (x86)") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="microsoft") returned -1 [0109.075] lstrcmpiW (lpString1="i386", lpString2="sophos") returned -1 [0109.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0109.075] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0109.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0109.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0109.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e6f0 [0109.075] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\i386\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b2895, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe2948 [0109.077] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.077] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3a9fd3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b1515, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea3b2895, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.077] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.077] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.077] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ab347, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ab347, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x16600, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="BiosBlocks.xml", cAlternateFileName="BIOSBL~1.XML")) returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2=".") returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="..") returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="...") returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="windows") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="$RECYCLE.BIN") returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="rsa") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NTDETECT.COM") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntldr") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="MSDOS.SYS") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="IO.SYS") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="boot.ini") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="AUTOEXEC.BAT") returned 1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="ntuser.dat") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="desktop.ini") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="CONFIG.SYS") returned -1 [0109.077] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="RECYCLER") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="BOOTSECT.BAK") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="bootmgr") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="programdata") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="appdata") returned 1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="program files (x86)") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="microsoft") returned -1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="sophos") returned -1 [0109.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e748 [0109.078] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.078] PathFindExtensionW (pszPath="BiosBlocks.xml") returned=".xml" [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".exe") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".log") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".cab") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".cmd") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".com") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".cpl") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".ini") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".dll") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".url") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".ttf") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".mp3") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".pif") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".mp4") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".NEFILIM") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".msi") returned 1 [0109.078] lstrcmpiW (lpString1=".xml", lpString2=".lnk") returned 1 [0109.078] lstrcmpiW (lpString1="BiosBlocks.xml", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.078] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0109.078] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.079] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=91648) returned 1 [0109.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.079] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4328 [0109.080] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.080] SystemFunction036 (in: RandomBuffer=0x29d4328, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4328) returned 1 [0109.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d30f8 [0109.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0109.080] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d30f8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d30f8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.080] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.080] GetTickCount () returned 0x115c63a [0109.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e380 [0109.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0109.080] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16600, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.080] SetLastError (dwErrCode=0x0) [0109.081] WriteFile (in: hFile=0x26c, lpBuffer=0x29d30f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d30f8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.082] GetLastError () returned 0x0 [0109.082] GetLastError () returned 0x0 [0109.082] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16700, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.082] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.082] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x16800, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.082] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c015567, dwHighDateTime=0x1d5f971)) [0109.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e6f0 [0109.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.083] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.083] GetProcessHeap () returned 0xbc0000 [0109.083] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x16600) returned 0xbf1630 [0109.083] GetSystemDefaultLangID () returned 0xbd0409 [0109.083] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.083] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x16600, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x16600, lpOverlapped=0x0) returned 1 [0109.089] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.089] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x16600, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x16600, lpOverlapped=0x0) returned 1 [0109.089] GetProcessHeap () returned 0xbc0000 [0109.089] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.089] CloseHandle (hObject=0x26c) returned 1 [0109.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d30f8 | out: hHeap=0x2680000) returned 1 [0109.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0109.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.089] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4328 | out: hHeap=0x2680000) returned 1 [0109.089] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0109.089] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\BiosBlocks.xml.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\biosblocks.xml.nefilim")) returned 1 [0109.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0109.090] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.090] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ac6e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ac6e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4071, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="hwcompat.txt", cAlternateFileName="")) returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2=".") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="..") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="...") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="windows") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="$RECYCLE.BIN") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="rsa") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NTDETECT.COM") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntldr") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="MSDOS.SYS") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="IO.SYS") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="boot.ini") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="AUTOEXEC.BAT") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="ntuser.dat") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="desktop.ini") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="CONFIG.SYS") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="RECYCLER") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="BOOTSECT.BAK") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="bootmgr") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="programdata") returned -1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="appdata") returned 1 [0109.090] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files") returned -1 [0109.091] lstrcmpiW (lpString1="hwcompat.txt", lpString2="program files (x86)") returned -1 [0109.091] lstrcmpiW (lpString1="hwcompat.txt", lpString2="microsoft") returned -1 [0109.091] lstrcmpiW (lpString1="hwcompat.txt", lpString2="sophos") returned -1 [0109.091] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.091] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e748 | out: hHeap=0x2680000) returned 1 [0109.091] PathFindExtensionW (pszPath="hwcompat.txt") returned=".txt" [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0109.091] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0109.091] lstrcmpiW (lpString1="hwcompat.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.091] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.091] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.092] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=16497) returned 1 [0109.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40d0 [0109.092] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.092] SystemFunction036 (in: RandomBuffer=0x29d40d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40d0) returned 1 [0109.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0109.092] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0109.092] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.093] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.095] GetTickCount () returned 0x115c64a [0109.095] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e348 [0109.095] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e348 | out: hHeap=0x2680000) returned 1 [0109.095] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4071, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.095] SetLastError (dwErrCode=0x0) [0109.095] WriteFile (in: hFile=0x26c, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.097] GetLastError () returned 0x0 [0109.097] GetLastError () returned 0x0 [0109.097] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4171, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.097] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.097] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4271, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.097] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c03b582, dwHighDateTime=0x1d5f971)) [0109.097] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.097] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.097] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.097] GetProcessHeap () returned 0xbc0000 [0109.097] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4071) returned 0xbf1630 [0109.097] GetSystemDefaultLangID () returned 0xbd0409 [0109.097] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.097] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x4071, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x4071, lpOverlapped=0x0) returned 1 [0109.099] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.099] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x4071, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x4071, lpOverlapped=0x0) returned 1 [0109.099] GetProcessHeap () returned 0xbc0000 [0109.099] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.099] CloseHandle (hObject=0x26c) returned 1 [0109.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0109.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0109.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.099] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40d0 | out: hHeap=0x2680000) returned 1 [0109.099] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.099] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwcompat.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwcompat.txt.nefilim")) returned 1 [0109.102] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.102] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.103] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ada69, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ada69, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8d7, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="hwexclude.txt", cAlternateFileName="HWEXCL~1.TXT")) returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2=".") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="..") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="...") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="windows") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="$RECYCLE.BIN") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="rsa") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NTDETECT.COM") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntldr") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="MSDOS.SYS") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="IO.SYS") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="boot.ini") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="AUTOEXEC.BAT") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="ntuser.dat") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="desktop.ini") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="CONFIG.SYS") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="RECYCLER") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="BOOTSECT.BAK") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="bootmgr") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="programdata") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="appdata") returned 1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="program files (x86)") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="microsoft") returned -1 [0109.103] lstrcmpiW (lpString1="hwexclude.txt", lpString2="sophos") returned -1 [0109.103] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0109.103] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.103] PathFindExtensionW (pszPath="hwexclude.txt") returned=".txt" [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".exe") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".log") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".cab") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".cmd") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".com") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".cpl") returned 1 [0109.103] lstrcmpiW (lpString1=".txt", lpString2=".ini") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".dll") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".url") returned -1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".ttf") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".mp3") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".pif") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".mp4") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".NEFILIM") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".msi") returned 1 [0109.104] lstrcmpiW (lpString1=".txt", lpString2=".lnk") returned 1 [0109.104] lstrcmpiW (lpString1="hwexclude.txt", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.104] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.104] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=2263) returned 1 [0109.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41c0 [0109.104] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.104] SystemFunction036 (in: RandomBuffer=0x29d41c0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41c0) returned 1 [0109.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3518 [0109.104] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0109.104] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3518*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3518*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.105] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.105] GetTickCount () returned 0x115c65a [0109.105] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0109.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0109.105] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.105] SetLastError (dwErrCode=0x0) [0109.105] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3518*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.107] GetLastError () returned 0x0 [0109.107] GetLastError () returned 0x0 [0109.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.107] WriteFile (in: hFile=0x26c, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xad7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.107] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c0617dd, dwHighDateTime=0x1d5f971)) [0109.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0109.107] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.107] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.107] GetProcessHeap () returned 0xbc0000 [0109.107] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8d7) returned 0xbe3f48 [0109.107] GetSystemDefaultLangID () returned 0xbd0409 [0109.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.107] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x8d7, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x8d7, lpOverlapped=0x0) returned 1 [0109.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.107] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x8d7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x8d7, lpOverlapped=0x0) returned 1 [0109.108] GetProcessHeap () returned 0xbc0000 [0109.108] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0109.108] CloseHandle (hObject=0x26c) returned 1 [0109.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3518 | out: hHeap=0x2680000) returned 1 [0109.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0109.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41c0 | out: hHeap=0x2680000) returned 1 [0109.108] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e768 [0109.108] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\hwexclude.txt.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\hwexclude.txt.nefilim")) returned 1 [0109.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.112] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3aedef, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3aedef, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2684, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="nxquery.cat", cAlternateFileName="")) returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2=".") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="..") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="...") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="windows") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="$RECYCLE.BIN") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="rsa") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="NTDETECT.COM") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntldr") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="MSDOS.SYS") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="IO.SYS") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="boot.ini") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="AUTOEXEC.BAT") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="ntuser.dat") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="desktop.ini") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="CONFIG.SYS") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="RECYCLER") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="BOOTSECT.BAK") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="bootmgr") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="programdata") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="appdata") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="program files (x86)") returned -1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="microsoft") returned 1 [0109.112] lstrcmpiW (lpString1="nxquery.cat", lpString2="sophos") returned -1 [0109.112] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.112] PathFindExtensionW (pszPath="nxquery.cat") returned=".cat" [0109.112] lstrcmpiW (lpString1=".cat", lpString2=".exe") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".log") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".cab") returned 1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".cmd") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".com") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".cpl") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".ini") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".dll") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".url") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".ttf") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".mp3") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".pif") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".mp4") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".NEFILIM") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".msi") returned -1 [0109.113] lstrcmpiW (lpString1=".cat", lpString2=".lnk") returned -1 [0109.113] lstrcmpiW (lpString1="nxquery.cat", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0109.113] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.113] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.113] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=9860) returned 1 [0109.113] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.113] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41f0 [0109.113] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.113] SystemFunction036 (in: RandomBuffer=0x29d41f0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41f0) returned 1 [0109.113] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0109.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0109.114] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.114] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.114] GetTickCount () returned 0x115c65a [0109.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0109.114] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0109.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2684, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.114] SetLastError (dwErrCode=0x0) [0109.114] WriteFile (in: hFile=0x26c, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.179] GetLastError () returned 0x0 [0109.179] GetLastError () returned 0x0 [0109.179] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2784, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.179] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.180] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2884, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.180] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c12069d, dwHighDateTime=0x1d5f971)) [0109.180] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.180] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.180] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.180] GetProcessHeap () returned 0xbc0000 [0109.180] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x2684) returned 0xbf1630 [0109.180] GetSystemDefaultLangID () returned 0xbd0409 [0109.180] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.180] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x2684, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x2684, lpOverlapped=0x0) returned 1 [0109.181] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.181] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x2684, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x2684, lpOverlapped=0x0) returned 1 [0109.181] GetProcessHeap () returned 0xbc0000 [0109.181] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.181] CloseHandle (hObject=0x26c) returned 1 [0109.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0109.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0109.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41f0 | out: hHeap=0x2680000) returned 1 [0109.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.182] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.cat.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.cat.nefilim")) returned 1 [0109.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.182] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.182] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b017f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b017f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x5d7, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="nxquery.inf", cAlternateFileName="")) returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2=".") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="..") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="...") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="windows") returned -1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="$RECYCLE.BIN") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="rsa") returned -1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="NTDETECT.COM") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntldr") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="MSDOS.SYS") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="IO.SYS") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="boot.ini") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="AUTOEXEC.BAT") returned 1 [0109.182] lstrcmpiW (lpString1="nxquery.inf", lpString2="ntuser.dat") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="desktop.ini") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="CONFIG.SYS") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="RECYCLER") returned -1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="BOOTSECT.BAK") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="bootmgr") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="programdata") returned -1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="appdata") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files") returned -1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="program files (x86)") returned -1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="microsoft") returned 1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="sophos") returned -1 [0109.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.183] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.183] PathFindExtensionW (pszPath="nxquery.inf") returned=".inf" [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".exe") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".log") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".cab") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".cmd") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".com") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".cpl") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".ini") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".dll") returned 1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".url") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".ttf") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".mp3") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".pif") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".mp4") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".NEFILIM") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".msi") returned -1 [0109.183] lstrcmpiW (lpString1=".inf", lpString2=".lnk") returned -1 [0109.183] lstrcmpiW (lpString1="nxquery.inf", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0109.183] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.183] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.184] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1495) returned 1 [0109.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.184] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4130 [0109.185] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.185] SystemFunction036 (in: RandomBuffer=0x29d4130, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4130) returned 1 [0109.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0109.185] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0109.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.186] GetTickCount () returned 0x115c6a8 [0109.186] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.186] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.186] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x5d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.186] SetLastError (dwErrCode=0x0) [0109.187] WriteFile (in: hFile=0x26c, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.188] GetLastError () returned 0x0 [0109.188] GetLastError () returned 0x0 [0109.188] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x6d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.188] WriteFile (in: hFile=0x26c, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.188] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x7d7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.188] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c12069d, dwHighDateTime=0x1d5f971)) [0109.188] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.189] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.189] GetProcessHeap () returned 0xbc0000 [0109.189] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x5d7) returned 0xbe3f48 [0109.189] GetSystemDefaultLangID () returned 0xbd0409 [0109.189] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.189] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x5d7, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x5d7, lpOverlapped=0x0) returned 1 [0109.189] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.189] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x5d7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x5d7, lpOverlapped=0x0) returned 1 [0109.189] GetProcessHeap () returned 0xbc0000 [0109.189] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0109.189] CloseHandle (hObject=0x26c) returned 1 [0109.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0109.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0109.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.189] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4130 | out: hHeap=0x2680000) returned 1 [0109.189] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.189] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\nxquery.inf.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.inf.nefilim")) returned 1 [0109.190] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.190] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.190] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="NXQuery.sys", cAlternateFileName="")) returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2=".") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="..") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="...") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="windows") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="$RECYCLE.BIN") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="rsa") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NTDETECT.COM") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntldr") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="MSDOS.SYS") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="IO.SYS") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="boot.ini") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="AUTOEXEC.BAT") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="ntuser.dat") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="desktop.ini") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="CONFIG.SYS") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="RECYCLER") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="BOOTSECT.BAK") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="bootmgr") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="programdata") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="appdata") returned 1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="program files (x86)") returned -1 [0109.190] lstrcmpiW (lpString1="NXQuery.sys", lpString2="microsoft") returned 1 [0109.191] lstrcmpiW (lpString1="NXQuery.sys", lpString2="sophos") returned -1 [0109.191] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.191] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.191] PathFindExtensionW (pszPath="NXQuery.sys") returned=".sys" [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".exe") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".log") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".cab") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".cmd") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".com") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".cpl") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".ini") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".dll") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".url") returned -1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".ttf") returned -1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".mp3") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".pif") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".mp4") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".NEFILIM") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".msi") returned 1 [0109.191] lstrcmpiW (lpString1=".sys", lpString2=".lnk") returned 1 [0109.191] lstrcmpiW (lpString1="NXQuery.sys", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0109.191] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.191] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.192] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=20144) returned 1 [0109.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4268 [0109.192] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.192] SystemFunction036 (in: RandomBuffer=0x29d4268, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4268) returned 1 [0109.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0109.192] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0109.192] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.194] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.194] GetTickCount () returned 0x115c6b7 [0109.194] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0109.194] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0109.194] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4eb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.194] SetLastError (dwErrCode=0x0) [0109.194] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.196] GetLastError () returned 0x0 [0109.196] GetLastError () returned 0x0 [0109.196] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x4fb0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.196] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.197] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x50b0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.197] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c1468bd, dwHighDateTime=0x1d5f971)) [0109.197] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.197] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.197] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.197] GetProcessHeap () returned 0xbc0000 [0109.197] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x4eb0) returned 0xbf1630 [0109.197] GetSystemDefaultLangID () returned 0xbd0409 [0109.197] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.197] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x4eb0, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x4eb0, lpOverlapped=0x0) returned 1 [0109.199] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.199] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x4eb0, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x4eb0, lpOverlapped=0x0) returned 1 [0109.199] GetProcessHeap () returned 0xbc0000 [0109.199] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.200] CloseHandle (hObject=0x26c) returned 1 [0109.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0109.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0109.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.200] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4268 | out: hHeap=0x2680000) returned 1 [0109.200] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.200] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys"), lpNewFileName="C:\\Windows10Upgrade\\resources\\i386\\NXQuery.sys.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\i386\\nxquery.sys.nefilim")) returned 1 [0109.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.201] FindNextFileW (in: hFindFile=0xbe2948, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b2895, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b2895, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x4eb0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="NXQuery.sys", cAlternateFileName="")) returned 0 [0109.201] FindClose (in: hFindFile=0xbe2948 | out: hFindFile=0xbe2948) returned 1 [0109.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0109.201] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0109.201] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2=".") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="..") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="...") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="windows") returned -1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="$RECYCLE.BIN") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="rsa") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="NTDETECT.COM") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="ntldr") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="MSDOS.SYS") returned 1 [0109.201] lstrcmpiW (lpString1="ux", lpString2="IO.SYS") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="boot.ini") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="AUTOEXEC.BAT") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="ntuser.dat") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="desktop.ini") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="CONFIG.SYS") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="RECYCLER") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="BOOTSECT.BAK") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="bootmgr") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="programdata") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="appdata") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="program files") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="program files (x86)") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="microsoft") returned 1 [0109.202] lstrcmpiW (lpString1="ux", lpString2="sophos") returned 1 [0109.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26812c0 [0109.202] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0109.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0109.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0109.202] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268e6f0 [0109.202] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\*.*", lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe2888 [0109.203] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.204] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.204] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.204] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.204] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b4fa7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b4fa7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x397, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="block.png", cAlternateFileName="")) returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2=".") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="..") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="...") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="windows") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="$RECYCLE.BIN") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="rsa") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="NTDETECT.COM") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="ntldr") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="MSDOS.SYS") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="IO.SYS") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="boot.ini") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="AUTOEXEC.BAT") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="ntuser.dat") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="desktop.ini") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="CONFIG.SYS") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="RECYCLER") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="BOOTSECT.BAK") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="bootmgr") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="programdata") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="appdata") returned 1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="program files") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="program files (x86)") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="microsoft") returned -1 [0109.204] lstrcmpiW (lpString1="block.png", lpString2="sophos") returned -1 [0109.204] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e748 [0109.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.204] PathFindExtensionW (pszPath="block.png") returned=".png" [0109.204] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0109.204] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0109.204] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0109.205] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0109.205] lstrcmpiW (lpString1="block.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.205] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.205] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.205] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=919) returned 1 [0109.205] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40a0 [0109.206] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.206] SystemFunction036 (in: RandomBuffer=0x29d40a0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40a0) returned 1 [0109.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0109.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0109.206] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.207] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.207] GetTickCount () returned 0x115c6b7 [0109.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e540 [0109.207] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e540 | out: hHeap=0x2680000) returned 1 [0109.208] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x397, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.208] SetLastError (dwErrCode=0x0) [0109.208] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.209] GetLastError () returned 0x0 [0109.209] GetLastError () returned 0x0 [0109.209] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x497, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.209] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.210] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x597, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.210] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c16c7e6, dwHighDateTime=0x1d5f971)) [0109.210] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e7b0 [0109.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e7b0 | out: hHeap=0x2680000) returned 1 [0109.210] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.210] GetProcessHeap () returned 0xbc0000 [0109.210] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x397) returned 0xbe3f48 [0109.210] GetSystemDefaultLangID () returned 0xbd0409 [0109.210] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.210] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x397, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x397, lpOverlapped=0x0) returned 1 [0109.210] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.210] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x397, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x397, lpOverlapped=0x0) returned 1 [0109.210] GetProcessHeap () returned 0xbc0000 [0109.210] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0109.210] CloseHandle (hObject=0x26c) returned 1 [0109.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0109.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0109.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.210] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40a0 | out: hHeap=0x2680000) returned 1 [0109.210] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bdf8 [0109.210] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\block.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\block.png.nefilim")) returned 1 [0109.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.211] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b8a24, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b8a24, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x1ba8, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="bluelogo.png", cAlternateFileName="")) returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2=".") returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="..") returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="...") returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="windows") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="$RECYCLE.BIN") returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="rsa") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="NTDETECT.COM") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="ntldr") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="MSDOS.SYS") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="IO.SYS") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="boot.ini") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="AUTOEXEC.BAT") returned 1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="ntuser.dat") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="desktop.ini") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="CONFIG.SYS") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="RECYCLER") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="BOOTSECT.BAK") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="bootmgr") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="programdata") returned -1 [0109.211] lstrcmpiW (lpString1="bluelogo.png", lpString2="appdata") returned 1 [0109.212] lstrcmpiW (lpString1="bluelogo.png", lpString2="program files") returned -1 [0109.212] lstrcmpiW (lpString1="bluelogo.png", lpString2="program files (x86)") returned -1 [0109.212] lstrcmpiW (lpString1="bluelogo.png", lpString2="microsoft") returned -1 [0109.212] lstrcmpiW (lpString1="bluelogo.png", lpString2="sophos") returned -1 [0109.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.212] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e748 | out: hHeap=0x2680000) returned 1 [0109.212] PathFindExtensionW (pszPath="bluelogo.png") returned=".png" [0109.212] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0109.212] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0109.212] lstrcmpiW (lpString1="bluelogo.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.212] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.212] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.213] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=7080) returned 1 [0109.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41c0 [0109.213] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.213] SystemFunction036 (in: RandomBuffer=0x29d41c0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41c0) returned 1 [0109.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0109.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.213] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.214] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.215] GetTickCount () returned 0x115c6c7 [0109.215] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.215] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.215] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ba8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.215] SetLastError (dwErrCode=0x0) [0109.215] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.270] GetLastError () returned 0x0 [0109.270] GetLastError () returned 0x0 [0109.271] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ca8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.271] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.271] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1da8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.271] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c1deff7, dwHighDateTime=0x1d5f971)) [0109.271] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.271] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.271] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.271] GetProcessHeap () returned 0xbc0000 [0109.271] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1ba8) returned 0xbf1630 [0109.273] GetSystemDefaultLangID () returned 0xbd0409 [0109.273] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.273] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1ba8, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1ba8, lpOverlapped=0x0) returned 1 [0109.274] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.274] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1ba8, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1ba8, lpOverlapped=0x0) returned 1 [0109.274] GetProcessHeap () returned 0xbc0000 [0109.274] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.274] CloseHandle (hObject=0x26c) returned 1 [0109.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0109.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.274] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41c0 | out: hHeap=0x2680000) returned 1 [0109.275] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.275] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bluelogo.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\bluelogo.png.nefilim")) returned 1 [0109.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.275] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3b9dbd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3b9dbd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xdd, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="bullet.png", cAlternateFileName="")) returned 1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2=".") returned 1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="..") returned 1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="...") returned 1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="windows") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="$RECYCLE.BIN") returned 1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="rsa") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="NTDETECT.COM") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="ntldr") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="MSDOS.SYS") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="IO.SYS") returned -1 [0109.275] lstrcmpiW (lpString1="bullet.png", lpString2="boot.ini") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="AUTOEXEC.BAT") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="ntuser.dat") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="desktop.ini") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="CONFIG.SYS") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="RECYCLER") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="BOOTSECT.BAK") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="bootmgr") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="programdata") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="appdata") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="program files") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="program files (x86)") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="microsoft") returned -1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="sophos") returned -1 [0109.276] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.276] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.276] PathFindExtensionW (pszPath="bullet.png") returned=".png" [0109.276] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0109.276] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0109.276] lstrcmpiW (lpString1="bullet.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.276] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.276] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.277] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=221) returned 1 [0109.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4118 [0109.277] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.277] SystemFunction036 (in: RandomBuffer=0x29d4118, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4118) returned 1 [0109.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0109.277] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0109.277] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.279] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.280] GetTickCount () returned 0x115c705 [0109.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0109.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0109.280] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.280] SetLastError (dwErrCode=0x0) [0109.280] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.281] GetLastError () returned 0x0 [0109.281] GetLastError () returned 0x0 [0109.281] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.282] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.283] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2dd, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.283] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c2052df, dwHighDateTime=0x1d5f971)) [0109.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.283] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.283] GetProcessHeap () returned 0xbc0000 [0109.283] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xdd) returned 0xbd16a8 [0109.283] GetSystemDefaultLangID () returned 0xbd0409 [0109.283] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.283] ReadFile (in: hFile=0x26c, lpBuffer=0xbd16a8, nNumberOfBytesToRead=0xdd, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbd16a8*, lpNumberOfBytesRead=0x25beb1c*=0xdd, lpOverlapped=0x0) returned 1 [0109.283] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.283] WriteFile (in: hFile=0x26c, lpBuffer=0xbd16a8*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbd16a8*, lpNumberOfBytesWritten=0x25beb10*=0xdd, lpOverlapped=0x0) returned 1 [0109.283] GetProcessHeap () returned 0xbc0000 [0109.283] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd16a8 | out: hHeap=0xbc0000) returned 1 [0109.283] CloseHandle (hObject=0x26c) returned 1 [0109.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0109.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0109.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.284] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4118 | out: hHeap=0x2680000) returned 1 [0109.284] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.284] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\bullet.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\bullet.png.nefilim")) returned 1 [0109.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.285] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bb141, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bb141, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1687, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default.css", cAlternateFileName="")) returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2=".") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="..") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="...") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="windows") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="$RECYCLE.BIN") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="rsa") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="NTDETECT.COM") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="ntldr") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="MSDOS.SYS") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="IO.SYS") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="boot.ini") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="AUTOEXEC.BAT") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="ntuser.dat") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="desktop.ini") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="CONFIG.SYS") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="RECYCLER") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="BOOTSECT.BAK") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="bootmgr") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="programdata") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="appdata") returned 1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="program files") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="program files (x86)") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="microsoft") returned -1 [0109.285] lstrcmpiW (lpString1="default.css", lpString2="sophos") returned -1 [0109.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.285] PathFindExtensionW (pszPath="default.css") returned=".css" [0109.285] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0109.285] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0109.285] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0109.285] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0109.285] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0109.285] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0109.286] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0109.286] lstrcmpiW (lpString1="default.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.286] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.286] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=5767) returned 1 [0109.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41f0 [0109.286] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.286] SystemFunction036 (in: RandomBuffer=0x29d41f0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41f0) returned 1 [0109.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d30f8 [0109.286] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0109.286] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d30f8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d30f8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.287] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.287] GetTickCount () returned 0x115c715 [0109.287] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e498 [0109.287] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e498 | out: hHeap=0x2680000) returned 1 [0109.287] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1687, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.287] SetLastError (dwErrCode=0x0) [0109.287] WriteFile (in: hFile=0x26c, lpBuffer=0x29d30f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d30f8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.289] GetLastError () returned 0x0 [0109.289] GetLastError () returned 0x0 [0109.289] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1787, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.289] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.289] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1887, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.289] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c22b498, dwHighDateTime=0x1d5f971)) [0109.289] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.289] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.289] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.289] GetProcessHeap () returned 0xbc0000 [0109.289] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1687) returned 0xbf1630 [0109.289] GetSystemDefaultLangID () returned 0xbd0409 [0109.289] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.289] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1687, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1687, lpOverlapped=0x0) returned 1 [0109.290] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.290] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1687, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1687, lpOverlapped=0x0) returned 1 [0109.290] GetProcessHeap () returned 0xbc0000 [0109.291] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.291] CloseHandle (hObject=0x26c) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d30f8 | out: hHeap=0x2680000) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41f0 | out: hHeap=0x2680000) returned 1 [0109.291] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.291] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.css.nefilim")) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.291] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bc4cd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bc4cd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf44d, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default.htm", cAlternateFileName="")) returned 1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2=".") returned 1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="..") returned 1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="...") returned 1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="windows") returned -1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="rsa") returned -1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="NTDETECT.COM") returned -1 [0109.291] lstrcmpiW (lpString1="default.htm", lpString2="ntldr") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="MSDOS.SYS") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="IO.SYS") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="boot.ini") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="ntuser.dat") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="desktop.ini") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="CONFIG.SYS") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="RECYCLER") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="bootmgr") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="programdata") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="appdata") returned 1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="program files") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="program files (x86)") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="microsoft") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="sophos") returned -1 [0109.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0109.292] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.292] PathFindExtensionW (pszPath="default.htm") returned=".htm" [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.292] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.292] lstrcmpiW (lpString1="default.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0109.293] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.302] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=62541) returned 1 [0109.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4220 [0109.302] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.302] SystemFunction036 (in: RandomBuffer=0x29d4220, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4220) returned 1 [0109.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0109.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0109.302] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.302] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.302] GetTickCount () returned 0x115c715 [0109.302] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0109.302] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0109.302] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf44d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.302] SetLastError (dwErrCode=0x0) [0109.302] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.307] GetLastError () returned 0x0 [0109.307] GetLastError () returned 0x0 [0109.307] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf54d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.307] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.307] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf64d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.307] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c251823, dwHighDateTime=0x1d5f971)) [0109.307] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0109.307] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.307] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.307] GetProcessHeap () returned 0xbc0000 [0109.307] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf44d) returned 0xbf1630 [0109.308] GetSystemDefaultLangID () returned 0xbd0409 [0109.308] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.308] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xf44d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xf44d, lpOverlapped=0x0) returned 1 [0109.313] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.313] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xf44d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xf44d, lpOverlapped=0x0) returned 1 [0109.313] GetProcessHeap () returned 0xbc0000 [0109.313] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.313] CloseHandle (hObject=0x26c) returned 1 [0109.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0109.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0109.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4220 | out: hHeap=0x2680000) returned 1 [0109.313] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.313] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default.htm.nefilim")) returned 1 [0109.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.314] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.314] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bd859, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bd859, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x13e24500, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0x1a2c, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default_eos.css", cAlternateFileName="DEFAUL~1.CSS")) returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2=".") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="..") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="...") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="windows") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="$RECYCLE.BIN") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="rsa") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="NTDETECT.COM") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="ntldr") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="MSDOS.SYS") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="IO.SYS") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="boot.ini") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="AUTOEXEC.BAT") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="ntuser.dat") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="desktop.ini") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="CONFIG.SYS") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="RECYCLER") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="BOOTSECT.BAK") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="bootmgr") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="programdata") returned -1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="appdata") returned 1 [0109.314] lstrcmpiW (lpString1="default_eos.css", lpString2="program files") returned -1 [0109.315] lstrcmpiW (lpString1="default_eos.css", lpString2="program files (x86)") returned -1 [0109.315] lstrcmpiW (lpString1="default_eos.css", lpString2="microsoft") returned -1 [0109.315] lstrcmpiW (lpString1="default_eos.css", lpString2="sophos") returned -1 [0109.315] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0109.315] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0109.315] PathFindExtensionW (pszPath="default_eos.css") returned=".css" [0109.315] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0109.315] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0109.315] lstrcmpiW (lpString1="default_eos.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.315] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0109.315] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.316] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=6700) returned 1 [0109.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4358 [0109.316] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.316] SystemFunction036 (in: RandomBuffer=0x29d4358, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4358) returned 1 [0109.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0109.316] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.316] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.317] GetTickCount () returned 0x115c725 [0109.317] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e380 [0109.317] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0109.317] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1a2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.317] SetLastError (dwErrCode=0x0) [0109.317] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.319] GetLastError () returned 0x0 [0109.319] GetLastError () returned 0x0 [0109.319] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1b2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.319] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.319] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1c2c, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.319] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c2778b8, dwHighDateTime=0x1d5f971)) [0109.319] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be08 [0109.319] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0109.319] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.319] GetProcessHeap () returned 0xbc0000 [0109.319] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1a2c) returned 0xbf1630 [0109.319] GetSystemDefaultLangID () returned 0xbd0409 [0109.319] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.319] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1a2c, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1a2c, lpOverlapped=0x0) returned 1 [0109.387] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.387] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1a2c, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1a2c, lpOverlapped=0x0) returned 1 [0109.387] GetProcessHeap () returned 0xbc0000 [0109.388] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.388] CloseHandle (hObject=0x26c) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4358 | out: hHeap=0x2680000) returned 1 [0109.388] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0109.388] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.css.nefilim")) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.388] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.388] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3bff6c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3bff6c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea75e900, ftLastWriteTime.dwHighDateTime=0x1d2ee61, nFileSizeHigh=0x0, nFileSizeLow=0xda3a, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default_eos.htm", cAlternateFileName="DEFAUL~1.HTM")) returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2=".") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="..") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="...") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="windows") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="rsa") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="NTDETECT.COM") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="ntldr") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="MSDOS.SYS") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="IO.SYS") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="boot.ini") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="ntuser.dat") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="desktop.ini") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="CONFIG.SYS") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="RECYCLER") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="bootmgr") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="programdata") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="appdata") returned 1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="program files") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="program files (x86)") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="microsoft") returned -1 [0109.389] lstrcmpiW (lpString1="default_eos.htm", lpString2="sophos") returned -1 [0109.389] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0109.389] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0109.389] PathFindExtensionW (pszPath="default_eos.htm") returned=".htm" [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.389] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.390] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.390] lstrcmpiW (lpString1="default_eos.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0109.390] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.390] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=55866) returned 1 [0109.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4430 [0109.390] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.390] SystemFunction036 (in: RandomBuffer=0x29d4430, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4430) returned 1 [0109.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0109.390] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0109.390] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.391] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.391] GetTickCount () returned 0x115c773 [0109.391] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0109.391] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0109.391] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xda3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.391] SetLastError (dwErrCode=0x0) [0109.391] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.393] GetLastError () returned 0x0 [0109.393] GetLastError () returned 0x0 [0109.393] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdb3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.393] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.393] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xdc3a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.393] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c310304, dwHighDateTime=0x1d5f971)) [0109.393] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0109.393] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0109.393] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.393] GetProcessHeap () returned 0xbc0000 [0109.393] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xda3a) returned 0xbf1630 [0109.393] GetSystemDefaultLangID () returned 0xbd0409 [0109.393] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.393] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xda3a, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xda3a, lpOverlapped=0x0) returned 1 [0109.396] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.397] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xda3a, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xda3a, lpOverlapped=0x0) returned 1 [0109.397] GetProcessHeap () returned 0xbc0000 [0109.397] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.397] CloseHandle (hObject=0x26c) returned 1 [0109.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0109.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0109.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.397] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4430 | out: hHeap=0x2680000) returned 1 [0109.397] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0109.397] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_eos.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_eos.htm.nefilim")) returned 1 [0109.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.398] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0109.398] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c12fc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c12fc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1468, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default_oobe.css", cAlternateFileName="DEFAUL~2.CSS")) returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2=".") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="..") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="...") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="windows") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="$RECYCLE.BIN") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="rsa") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="NTDETECT.COM") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="ntldr") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="MSDOS.SYS") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="IO.SYS") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="boot.ini") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="AUTOEXEC.BAT") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="ntuser.dat") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="desktop.ini") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="CONFIG.SYS") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="RECYCLER") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="BOOTSECT.BAK") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="bootmgr") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="programdata") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="appdata") returned 1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="program files") returned -1 [0109.398] lstrcmpiW (lpString1="default_oobe.css", lpString2="program files (x86)") returned -1 [0109.399] lstrcmpiW (lpString1="default_oobe.css", lpString2="microsoft") returned -1 [0109.399] lstrcmpiW (lpString1="default_oobe.css", lpString2="sophos") returned -1 [0109.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0109.399] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.399] PathFindExtensionW (pszPath="default_oobe.css") returned=".css" [0109.399] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0109.399] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0109.399] lstrcmpiW (lpString1="default_oobe.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.399] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0109.399] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.399] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=5224) returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42b0 [0109.400] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.400] SystemFunction036 (in: RandomBuffer=0x29d42b0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42b0) returned 1 [0109.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0109.400] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0109.400] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.400] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.401] GetTickCount () returned 0x115c782 [0109.401] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0109.401] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0109.401] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1468, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.401] SetLastError (dwErrCode=0x0) [0109.402] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.404] GetLastError () returned 0x0 [0109.404] GetLastError () returned 0x0 [0109.404] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1568, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.404] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.404] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1668, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.404] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c3365c3, dwHighDateTime=0x1d5f971)) [0109.404] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0109.404] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0109.404] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.404] GetProcessHeap () returned 0xbc0000 [0109.404] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1468) returned 0xbf1630 [0109.405] GetSystemDefaultLangID () returned 0xbd0409 [0109.405] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.405] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x1468, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x1468, lpOverlapped=0x0) returned 1 [0109.406] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.406] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x1468, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x1468, lpOverlapped=0x0) returned 1 [0109.406] GetProcessHeap () returned 0xbc0000 [0109.406] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.407] CloseHandle (hObject=0x26c) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42b0 | out: hHeap=0x2680000) returned 1 [0109.407] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0109.407] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.css.nefilim")) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.407] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.407] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c2685, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c2685, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x7f589b00, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0x100ae, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="default_oobe.htm", cAlternateFileName="DEFAUL~2.HTM")) returned 1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2=".") returned 1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="..") returned 1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="...") returned 1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="windows") returned -1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="rsa") returned -1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NTDETECT.COM") returned -1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ntldr") returned -1 [0109.407] lstrcmpiW (lpString1="default_oobe.htm", lpString2="MSDOS.SYS") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="IO.SYS") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="boot.ini") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="ntuser.dat") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="desktop.ini") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="CONFIG.SYS") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="RECYCLER") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="bootmgr") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="programdata") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="appdata") returned 1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="program files") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="program files (x86)") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="microsoft") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="sophos") returned -1 [0109.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0109.408] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0109.408] PathFindExtensionW (pszPath="default_oobe.htm") returned=".htm" [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.408] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.408] lstrcmpiW (lpString1="default_oobe.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.408] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0109.408] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0109.409] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=65710) returned 1 [0109.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4178 [0109.409] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.409] SystemFunction036 (in: RandomBuffer=0x29d4178, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4178) returned 1 [0109.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0109.409] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0109.409] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25beab8*=0x100) returned 1 [0109.409] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25beab4*=0x100) returned 1 [0109.410] GetTickCount () returned 0x115c782 [0109.410] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0109.410] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0109.410] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x100ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.410] SetLastError (dwErrCode=0x0) [0109.410] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.411] GetLastError () returned 0x0 [0109.411] GetLastError () returned 0x0 [0109.411] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x101ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.411] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0109.411] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x102ae, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.412] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3c3365c3, dwHighDateTime=0x1d5f971)) [0109.412] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0109.412] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0109.412] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0109.412] GetProcessHeap () returned 0xbc0000 [0109.412] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x100ae) returned 0xbf1630 [0109.412] GetSystemDefaultLangID () returned 0xbd0409 [0109.412] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.412] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x100ae, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x100ae, lpOverlapped=0x0) returned 1 [0109.416] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.416] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x100ae, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x100ae, lpOverlapped=0x0) returned 1 [0109.416] GetProcessHeap () returned 0xbc0000 [0109.416] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0109.418] CloseHandle (hObject=0x26c) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4178 | out: hHeap=0x2680000) returned 1 [0109.418] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0109.418] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\default_oobe.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\default_oobe.htm.nefilim")) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.418] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0109.418] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="EULA", cAlternateFileName="")) returned 1 [0109.418] lstrcmpiW (lpString1="EULA", lpString2=".") returned 1 [0109.418] lstrcmpiW (lpString1="EULA", lpString2="..") returned 1 [0109.418] lstrcmpiW (lpString1="EULA", lpString2="...") returned 1 [0109.418] lstrcmpiW (lpString1="EULA", lpString2="windows") returned -1 [0109.418] lstrcmpiW (lpString1="EULA", lpString2="$RECYCLE.BIN") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="rsa") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="NTDETECT.COM") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="ntldr") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="MSDOS.SYS") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="IO.SYS") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="boot.ini") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="AUTOEXEC.BAT") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="ntuser.dat") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="desktop.ini") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="CONFIG.SYS") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="RECYCLER") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="BOOTSECT.BAK") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="bootmgr") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="programdata") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="appdata") returned 1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="program files") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="program files (x86)") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="microsoft") returned -1 [0109.419] lstrcmpiW (lpString1="EULA", lpString2="sophos") returned -1 [0109.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be08 [0109.419] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0109.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268bd90 [0109.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x268be60 [0109.419] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0109.419] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName=".", cAlternateFileName="")) returned 0xbe2748 [0109.421] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0109.421] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3c4d9e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea5f6eb5, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="..", cAlternateFileName="")) returned 1 [0109.495] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0109.495] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0109.495] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c6124, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c6124, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1af6d, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_ar-sa.htm", cAlternateFileName="EULA_A~1.HTM")) returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2=".") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="..") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="...") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="windows") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="rsa") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NTDETECT.COM") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ntldr") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="MSDOS.SYS") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="IO.SYS") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="boot.ini") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="ntuser.dat") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="desktop.ini") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="CONFIG.SYS") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="RECYCLER") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="bootmgr") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="programdata") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="appdata") returned 1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="program files") returned -1 [0109.495] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="program files (x86)") returned -1 [0109.496] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="microsoft") returned -1 [0109.496] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="sophos") returned -1 [0109.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e758 [0109.496] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.496] PathFindExtensionW (pszPath="EULA_ar-sa.htm") returned=".htm" [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.496] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.496] lstrcmpiW (lpString1="EULA_ar-sa.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec08 [0109.496] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.497] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=110445) returned 1 [0109.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4310 [0109.497] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.497] SystemFunction036 (in: RandomBuffer=0x29d4310, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4310) returned 1 [0109.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0109.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0109.497] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.498] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.498] GetTickCount () returned 0x115c7e0 [0109.498] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.498] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.498] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1af6d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.498] SetLastError (dwErrCode=0x0) [0109.498] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.500] GetLastError () returned 0x0 [0109.500] GetLastError () returned 0x0 [0109.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1b06d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.500] WriteFile (in: hFile=0x270, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1b16d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.500] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c41b3e7, dwHighDateTime=0x1d5f971)) [0109.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e6f0 [0109.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.500] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.500] GetProcessHeap () returned 0xbc0000 [0109.500] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1af6d) returned 0xbf2638 [0109.500] GetSystemDefaultLangID () returned 0xbd0409 [0109.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.500] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1af6d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1af6d, lpOverlapped=0x0) returned 1 [0109.508] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.508] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1af6d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1af6d, lpOverlapped=0x0) returned 1 [0109.508] GetProcessHeap () returned 0xbc0000 [0109.508] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.508] CloseHandle (hObject=0x270) returned 1 [0109.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0109.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0109.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.508] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4310 | out: hHeap=0x2680000) returned 1 [0109.509] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec80 [0109.509] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ar-sa.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ar-sa.htm.nefilim")) returned 1 [0109.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec80 | out: hHeap=0x2680000) returned 1 [0109.509] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.509] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c74ab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c74ab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3de0d, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_bg-bg.htm", cAlternateFileName="EULA_B~1.HTM")) returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2=".") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="..") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="...") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="windows") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="rsa") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="NTDETECT.COM") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="ntldr") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="MSDOS.SYS") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="IO.SYS") returned -1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="boot.ini") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.509] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="ntuser.dat") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="desktop.ini") returned 1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="CONFIG.SYS") returned 1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="RECYCLER") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="bootmgr") returned 1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="programdata") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="appdata") returned 1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="program files") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="program files (x86)") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="microsoft") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="sophos") returned -1 [0109.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec08 [0109.510] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0109.510] PathFindExtensionW (pszPath="EULA_bg-bg.htm") returned=".htm" [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.510] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.510] lstrcmpiW (lpString1="EULA_bg-bg.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.510] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.510] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.511] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=253453) returned 1 [0109.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4388 [0109.511] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.511] SystemFunction036 (in: RandomBuffer=0x29d4388, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4388) returned 1 [0109.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2288 [0109.511] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3518 [0109.511] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2288*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2288*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.513] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3518*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3518*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.514] GetTickCount () returned 0x115c7f0 [0109.514] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.514] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.514] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3de0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.514] SetLastError (dwErrCode=0x0) [0109.514] WriteFile (in: hFile=0x270, lpBuffer=0x29d2288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2288*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.516] GetLastError () returned 0x0 [0109.516] GetLastError () returned 0x0 [0109.516] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3df0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.516] WriteFile (in: hFile=0x270, lpBuffer=0x29d3518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3518*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.516] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e00d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.516] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c441511, dwHighDateTime=0x1d5f971)) [0109.516] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e768 [0109.516] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.516] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.516] GetProcessHeap () returned 0xbc0000 [0109.516] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3de0d) returned 0xbf2638 [0109.516] GetSystemDefaultLangID () returned 0xbd0409 [0109.516] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.516] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3de0d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3de0d, lpOverlapped=0x0) returned 1 [0109.534] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.534] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3de0d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3de0d, lpOverlapped=0x0) returned 1 [0109.535] GetProcessHeap () returned 0xbc0000 [0109.535] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.535] CloseHandle (hObject=0x270) returned 1 [0109.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2288 | out: hHeap=0x2680000) returned 1 [0109.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3518 | out: hHeap=0x2680000) returned 1 [0109.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.535] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4388 | out: hHeap=0x2680000) returned 1 [0109.535] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e768 [0109.535] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_bg-bg.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_bg-bg.htm.nefilim")) returned 1 [0109.536] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.536] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.536] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3c882e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3c882e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14573, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_cs-cz.htm", cAlternateFileName="EULA_C~1.HTM")) returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2=".") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="..") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="...") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="windows") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="rsa") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="NTDETECT.COM") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="ntldr") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="MSDOS.SYS") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="IO.SYS") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="boot.ini") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="ntuser.dat") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="desktop.ini") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="CONFIG.SYS") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="RECYCLER") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="bootmgr") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="programdata") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="appdata") returned 1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="program files") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="program files (x86)") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="microsoft") returned -1 [0109.536] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="sophos") returned -1 [0109.537] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.537] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.537] PathFindExtensionW (pszPath="EULA_cs-cz.htm") returned=".htm" [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.537] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.589] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.589] lstrcmpiW (lpString1="EULA_cs-cz.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.589] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.589] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=83315) returned 1 [0109.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42e0 [0109.589] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.589] SystemFunction036 (in: RandomBuffer=0x29d42e0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42e0) returned 1 [0109.589] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.590] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0109.590] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.590] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.592] GetTickCount () returned 0x115c83e [0109.592] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e380 [0109.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e380 | out: hHeap=0x2680000) returned 1 [0109.592] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14573, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.592] SetLastError (dwErrCode=0x0) [0109.592] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.594] GetLastError () returned 0x0 [0109.594] GetLastError () returned 0x0 [0109.594] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14673, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.594] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.594] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14773, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.594] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c5000d0, dwHighDateTime=0x1d5f971)) [0109.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.594] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.594] GetProcessHeap () returned 0xbc0000 [0109.594] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14573) returned 0xbf2638 [0109.595] GetSystemDefaultLangID () returned 0xbd0409 [0109.595] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.595] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x14573, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x14573, lpOverlapped=0x0) returned 1 [0109.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.621] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x14573, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x14573, lpOverlapped=0x0) returned 1 [0109.621] GetProcessHeap () returned 0xbc0000 [0109.621] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.622] CloseHandle (hObject=0x270) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42e0 | out: hHeap=0x2680000) returned 1 [0109.622] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.622] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_cs-cz.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_cs-cz.htm.nefilim")) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.622] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.622] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3caf18, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3caf18, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe95, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_da-dk.htm", cAlternateFileName="EULA_D~1.HTM")) returned 1 [0109.622] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2=".") returned 1 [0109.622] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="..") returned 1 [0109.622] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="...") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="windows") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="rsa") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="NTDETECT.COM") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="ntldr") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="MSDOS.SYS") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="IO.SYS") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="boot.ini") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="ntuser.dat") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="desktop.ini") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="CONFIG.SYS") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="RECYCLER") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="bootmgr") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="programdata") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="appdata") returned 1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="program files") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="program files (x86)") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="microsoft") returned -1 [0109.623] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="sophos") returned -1 [0109.623] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.623] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.623] PathFindExtensionW (pszPath="EULA_da-dk.htm") returned=".htm" [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.623] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.624] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.624] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.624] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.624] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.624] lstrcmpiW (lpString1="EULA_da-dk.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.624] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.624] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.625] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=65173) returned 1 [0109.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4418 [0109.625] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.625] SystemFunction036 (in: RandomBuffer=0x29d4418, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4418) returned 1 [0109.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0109.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0109.625] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.626] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.628] GetTickCount () returned 0x115c85d [0109.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.628] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfe95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.628] SetLastError (dwErrCode=0x0) [0109.628] WriteFile (in: hFile=0x270, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.640] GetLastError () returned 0x0 [0109.640] GetLastError () returned 0x0 [0109.640] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xff95, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.640] WriteFile (in: hFile=0x270, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.640] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10095, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.640] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c57282b, dwHighDateTime=0x1d5f971)) [0109.640] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.640] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.640] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.640] GetProcessHeap () returned 0xbc0000 [0109.640] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfe95) returned 0xbf2638 [0109.640] GetSystemDefaultLangID () returned 0xbd0409 [0109.640] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.641] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xfe95, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xfe95, lpOverlapped=0x0) returned 1 [0109.645] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.645] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xfe95, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xfe95, lpOverlapped=0x0) returned 1 [0109.645] GetProcessHeap () returned 0xbc0000 [0109.645] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.645] CloseHandle (hObject=0x270) returned 1 [0109.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0109.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0109.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4418 | out: hHeap=0x2680000) returned 1 [0109.645] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.645] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_da-dk.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_da-dk.htm.nefilim")) returned 1 [0109.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.646] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d10e9, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d10e9, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1133d, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_de-de.htm", cAlternateFileName="EULA_D~2.HTM")) returned 1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2=".") returned 1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="..") returned 1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="...") returned 1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="windows") returned -1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="rsa") returned -1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="NTDETECT.COM") returned -1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="ntldr") returned -1 [0109.646] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="MSDOS.SYS") returned -1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="IO.SYS") returned -1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="boot.ini") returned 1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="ntuser.dat") returned -1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="desktop.ini") returned 1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="CONFIG.SYS") returned 1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="RECYCLER") returned -1 [0109.689] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="bootmgr") returned 1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="programdata") returned -1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="appdata") returned 1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="program files") returned -1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="program files (x86)") returned -1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="microsoft") returned -1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="sophos") returned -1 [0109.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.690] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.690] PathFindExtensionW (pszPath="EULA_de-de.htm") returned=".htm" [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.690] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.690] lstrcmpiW (lpString1="EULA_de-de.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.690] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.690] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.691] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=70461) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42c8 [0109.691] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.691] SystemFunction036 (in: RandomBuffer=0x29d42c8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42c8) returned 1 [0109.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0109.691] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.691] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.691] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.692] GetTickCount () returned 0x115c89c [0109.692] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0109.692] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0109.692] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1133d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.692] SetLastError (dwErrCode=0x0) [0109.692] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.693] GetLastError () returned 0x0 [0109.694] GetLastError () returned 0x0 [0109.694] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1143d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.694] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.694] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1153d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.694] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c60b0b2, dwHighDateTime=0x1d5f971)) [0109.694] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.694] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.694] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.694] GetProcessHeap () returned 0xbc0000 [0109.694] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1133d) returned 0xbf2638 [0109.694] GetSystemDefaultLangID () returned 0xbd0409 [0109.694] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.694] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1133d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1133d, lpOverlapped=0x0) returned 1 [0109.700] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.700] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1133d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1133d, lpOverlapped=0x0) returned 1 [0109.700] GetProcessHeap () returned 0xbc0000 [0109.700] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.700] CloseHandle (hObject=0x270) returned 1 [0109.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0109.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.700] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42c8 | out: hHeap=0x2680000) returned 1 [0109.700] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.700] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_de-de.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_de-de.htm.nefilim")) returned 1 [0109.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.701] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.701] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d2466, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d2466, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3a756, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_el-gr.htm", cAlternateFileName="EULA_E~1.HTM")) returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2=".") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="..") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="...") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="windows") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="rsa") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="NTDETECT.COM") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="ntldr") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="MSDOS.SYS") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="IO.SYS") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="boot.ini") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="ntuser.dat") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="desktop.ini") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="CONFIG.SYS") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="RECYCLER") returned -1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="bootmgr") returned 1 [0109.701] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="programdata") returned -1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="appdata") returned 1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="program files") returned -1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="program files (x86)") returned -1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="microsoft") returned -1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="sophos") returned -1 [0109.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.702] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.702] PathFindExtensionW (pszPath="EULA_el-gr.htm") returned=".htm" [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.702] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.702] lstrcmpiW (lpString1="EULA_el-gr.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.702] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.702] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.703] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=239446) returned 1 [0109.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4130 [0109.703] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.703] SystemFunction036 (in: RandomBuffer=0x29d4130, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4130) returned 1 [0109.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0109.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.703] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.703] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.703] GetTickCount () returned 0x115c8ab [0109.703] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0109.703] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0109.703] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3a756, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.703] SetLastError (dwErrCode=0x0) [0109.703] WriteFile (in: hFile=0x270, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.754] GetLastError () returned 0x0 [0109.754] GetLastError () returned 0x0 [0109.754] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3a856, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.754] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.754] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3a956, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.754] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c67d843, dwHighDateTime=0x1d5f971)) [0109.754] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.754] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.754] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.754] GetProcessHeap () returned 0xbc0000 [0109.754] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3a756) returned 0xbf2638 [0109.754] GetSystemDefaultLangID () returned 0xbd0409 [0109.754] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.755] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3a756, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3a756, lpOverlapped=0x0) returned 1 [0109.769] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.769] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3a756, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3a756, lpOverlapped=0x0) returned 1 [0109.769] GetProcessHeap () returned 0xbc0000 [0109.769] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.770] CloseHandle (hObject=0x270) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4130 | out: hHeap=0x2680000) returned 1 [0109.770] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.770] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_el-gr.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_el-gr.htm.nefilim")) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.770] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.770] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d5f05, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d5f05, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_en-gb.htm", cAlternateFileName="EULA_E~2.HTM")) returned 1 [0109.770] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2=".") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="..") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="...") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="windows") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="rsa") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="NTDETECT.COM") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="ntldr") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="MSDOS.SYS") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="IO.SYS") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="boot.ini") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="ntuser.dat") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="desktop.ini") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="CONFIG.SYS") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="RECYCLER") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="bootmgr") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="programdata") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="appdata") returned 1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="program files") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="program files (x86)") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="microsoft") returned -1 [0109.771] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="sophos") returned -1 [0109.771] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.771] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.771] PathFindExtensionW (pszPath="EULA_en-gb.htm") returned=".htm" [0109.771] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.774] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.774] lstrcmpiW (lpString1="EULA_en-gb.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.774] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.774] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.775] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=58549) returned 1 [0109.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4448 [0109.775] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.775] SystemFunction036 (in: RandomBuffer=0x29d4448, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4448) returned 1 [0109.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0109.775] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0109.775] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.777] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.778] GetTickCount () returned 0x115c8f9 [0109.778] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e8 [0109.778] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e8 | out: hHeap=0x2680000) returned 1 [0109.778] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe4b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.778] SetLastError (dwErrCode=0x0) [0109.778] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.780] GetLastError () returned 0x0 [0109.780] GetLastError () returned 0x0 [0109.780] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe5b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.780] WriteFile (in: hFile=0x270, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.780] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe6b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.780] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c6c9e11, dwHighDateTime=0x1d5f971)) [0109.780] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.781] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.781] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.781] GetProcessHeap () returned 0xbc0000 [0109.781] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe4b5) returned 0xbf2638 [0109.781] GetSystemDefaultLangID () returned 0xbd0409 [0109.781] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.781] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xe4b5, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xe4b5, lpOverlapped=0x0) returned 1 [0109.785] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.785] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xe4b5, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xe4b5, lpOverlapped=0x0) returned 1 [0109.785] GetProcessHeap () returned 0xbc0000 [0109.785] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.785] CloseHandle (hObject=0x270) returned 1 [0109.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0109.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0109.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.785] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4448 | out: hHeap=0x2680000) returned 1 [0109.785] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.785] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-gb.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-gb.htm.nefilim")) returned 1 [0109.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.786] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.786] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3d997f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3d997f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xe4b5, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_en-us.htm", cAlternateFileName="EULA_E~3.HTM")) returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2=".") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="..") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="...") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="windows") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="rsa") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="NTDETECT.COM") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="ntldr") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="MSDOS.SYS") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="IO.SYS") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="boot.ini") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="ntuser.dat") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="desktop.ini") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="CONFIG.SYS") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="RECYCLER") returned -1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="bootmgr") returned 1 [0109.786] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="programdata") returned -1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="appdata") returned 1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="program files") returned -1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="program files (x86)") returned -1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="microsoft") returned -1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="sophos") returned -1 [0109.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.787] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.787] PathFindExtensionW (pszPath="EULA_en-us.htm") returned=".htm" [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.787] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.787] lstrcmpiW (lpString1="EULA_en-us.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.787] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.787] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.788] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=58549) returned 1 [0109.788] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41a8 [0109.789] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.789] SystemFunction036 (in: RandomBuffer=0x29d41a8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41a8) returned 1 [0109.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0109.789] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ee8 [0109.789] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.789] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ee8*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.790] GetTickCount () returned 0x115c909 [0109.790] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0109.791] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0109.791] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe4b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.791] SetLastError (dwErrCode=0x0) [0109.791] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.837] GetLastError () returned 0x0 [0109.837] GetLastError () returned 0x0 [0109.837] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe5b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.837] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ee8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ee8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.837] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xe6b5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.837] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c762736, dwHighDateTime=0x1d5f971)) [0109.837] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.837] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.837] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.837] GetProcessHeap () returned 0xbc0000 [0109.837] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe4b5) returned 0xbf2638 [0109.839] GetSystemDefaultLangID () returned 0xbd0409 [0109.839] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.839] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xe4b5, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xe4b5, lpOverlapped=0x0) returned 1 [0109.843] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.843] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xe4b5, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xe4b5, lpOverlapped=0x0) returned 1 [0109.843] GetProcessHeap () returned 0xbc0000 [0109.843] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.843] CloseHandle (hObject=0x270) returned 1 [0109.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0109.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ee8 | out: hHeap=0x2680000) returned 1 [0109.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.843] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41a8 | out: hHeap=0x2680000) returned 1 [0109.843] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.843] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_en-us.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_en-us.htm.nefilim")) returned 1 [0109.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.844] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dad37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dad37, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_es-es.htm", cAlternateFileName="EULA_E~4.HTM")) returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2=".") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="..") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="...") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="windows") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="rsa") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="NTDETECT.COM") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="ntldr") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="MSDOS.SYS") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="IO.SYS") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="boot.ini") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="ntuser.dat") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="desktop.ini") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="CONFIG.SYS") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="RECYCLER") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="bootmgr") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="programdata") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="appdata") returned 1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="program files") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="program files (x86)") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="microsoft") returned -1 [0109.844] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="sophos") returned -1 [0109.844] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.844] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.845] PathFindExtensionW (pszPath="EULA_es-es.htm") returned=".htm" [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.845] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.845] lstrcmpiW (lpString1="EULA_es-es.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.845] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.845] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.845] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=69816) returned 1 [0109.845] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.845] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40a0 [0109.846] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.846] SystemFunction036 (in: RandomBuffer=0x29d40a0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40a0) returned 1 [0109.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0109.846] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0109.846] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.847] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.849] GetTickCount () returned 0x115c938 [0109.849] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0109.849] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0109.849] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x110b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.849] SetLastError (dwErrCode=0x0) [0109.849] WriteFile (in: hFile=0x270, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.851] GetLastError () returned 0x0 [0109.851] GetLastError () returned 0x0 [0109.851] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x111b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.851] WriteFile (in: hFile=0x270, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.851] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x112b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.851] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c78890c, dwHighDateTime=0x1d5f971)) [0109.851] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.851] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.851] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.851] GetProcessHeap () returned 0xbc0000 [0109.851] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x110b8) returned 0xbf2638 [0109.851] GetSystemDefaultLangID () returned 0xbd0409 [0109.852] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.852] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x110b8, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x110b8, lpOverlapped=0x0) returned 1 [0109.861] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.861] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x110b8, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x110b8, lpOverlapped=0x0) returned 1 [0109.861] GetProcessHeap () returned 0xbc0000 [0109.861] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.861] CloseHandle (hObject=0x270) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40a0 | out: hHeap=0x2680000) returned 1 [0109.862] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.862] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-es.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-es.htm.nefilim")) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.862] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.862] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dc0bd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dc0bd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x110b8, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_es-mx.htm", cAlternateFileName="EU6344~1.HTM")) returned 1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2=".") returned 1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="..") returned 1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="...") returned 1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="windows") returned -1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="rsa") returned -1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="NTDETECT.COM") returned -1 [0109.862] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="ntldr") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="MSDOS.SYS") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="IO.SYS") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="boot.ini") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="ntuser.dat") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="desktop.ini") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="CONFIG.SYS") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="RECYCLER") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="bootmgr") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="programdata") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="appdata") returned 1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="program files") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="program files (x86)") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="microsoft") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="sophos") returned -1 [0109.863] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.863] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.863] PathFindExtensionW (pszPath="EULA_es-mx.htm") returned=".htm" [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.863] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.863] lstrcmpiW (lpString1="EULA_es-mx.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.864] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.864] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=69816) returned 1 [0109.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41d8 [0109.864] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.864] SystemFunction036 (in: RandomBuffer=0x29d41d8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41d8) returned 1 [0109.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0109.864] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0109.864] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.864] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.865] GetTickCount () returned 0x115c948 [0109.865] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e8 [0109.865] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e8 | out: hHeap=0x2680000) returned 1 [0109.865] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x110b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.865] SetLastError (dwErrCode=0x0) [0109.865] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.868] GetLastError () returned 0x0 [0109.868] GetLastError () returned 0x0 [0109.868] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x111b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.868] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.868] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x112b8, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.868] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c7b2784, dwHighDateTime=0x1d5f971)) [0109.868] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.868] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.868] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.868] GetProcessHeap () returned 0xbc0000 [0109.868] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x110b8) returned 0xbf2638 [0109.868] GetSystemDefaultLangID () returned 0xbd0409 [0109.868] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.868] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x110b8, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x110b8, lpOverlapped=0x0) returned 1 [0109.872] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.873] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x110b8, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x110b8, lpOverlapped=0x0) returned 1 [0109.873] GetProcessHeap () returned 0xbc0000 [0109.873] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.873] CloseHandle (hObject=0x270) returned 1 [0109.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0109.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0109.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.873] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41d8 | out: hHeap=0x2680000) returned 1 [0109.873] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.873] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_es-mx.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_es-mx.htm.nefilim")) returned 1 [0109.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.874] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dd45a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dd45a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xf67d, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_et-ee.htm", cAlternateFileName="EU56AC~1.HTM")) returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2=".") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="..") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="...") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="windows") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="rsa") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="NTDETECT.COM") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="ntldr") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="MSDOS.SYS") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="IO.SYS") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="boot.ini") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="ntuser.dat") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="desktop.ini") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="CONFIG.SYS") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="RECYCLER") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="bootmgr") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="programdata") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="appdata") returned 1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="program files") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="program files (x86)") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="microsoft") returned -1 [0109.874] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="sophos") returned -1 [0109.874] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.874] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.874] PathFindExtensionW (pszPath="EULA_et-ee.htm") returned=".htm" [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.874] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.875] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.875] lstrcmpiW (lpString1="EULA_et-ee.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.875] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.875] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=63101) returned 1 [0109.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40d0 [0109.875] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.875] SystemFunction036 (in: RandomBuffer=0x29d40d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40d0) returned 1 [0109.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0109.875] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0109.875] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.876] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.876] GetTickCount () returned 0x115c957 [0109.876] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0109.876] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0109.876] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf67d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.876] SetLastError (dwErrCode=0x0) [0109.876] WriteFile (in: hFile=0x270, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.930] GetLastError () returned 0x0 [0109.930] GetLastError () returned 0x0 [0109.930] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf77d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.930] WriteFile (in: hFile=0x270, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.930] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xf87d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.930] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c8475cb, dwHighDateTime=0x1d5f971)) [0109.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.930] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.930] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.930] GetProcessHeap () returned 0xbc0000 [0109.930] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xf67d) returned 0xbf2638 [0109.931] GetSystemDefaultLangID () returned 0xbd0409 [0109.931] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.931] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xf67d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xf67d, lpOverlapped=0x0) returned 1 [0109.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.936] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xf67d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xf67d, lpOverlapped=0x0) returned 1 [0109.936] GetProcessHeap () returned 0xbc0000 [0109.936] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.937] CloseHandle (hObject=0x270) returned 1 [0109.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0109.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0109.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40d0 | out: hHeap=0x2680000) returned 1 [0109.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.938] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_et-ee.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_et-ee.htm.nefilim")) returned 1 [0109.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.938] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3dfb2b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3dfb2b, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1145a, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_fi-fi.htm", cAlternateFileName="EULA_F~1.HTM")) returned 1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2=".") returned 1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="..") returned 1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="...") returned 1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="windows") returned -1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="rsa") returned -1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="NTDETECT.COM") returned -1 [0109.938] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="ntldr") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="MSDOS.SYS") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="IO.SYS") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="boot.ini") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="ntuser.dat") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="desktop.ini") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="CONFIG.SYS") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="RECYCLER") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="bootmgr") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="programdata") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="appdata") returned 1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="program files") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="program files (x86)") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="microsoft") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="sophos") returned -1 [0109.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.939] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.939] PathFindExtensionW (pszPath="EULA_fi-fi.htm") returned=".htm" [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.939] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.939] lstrcmpiW (lpString1="EULA_fi-fi.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.940] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.940] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=70746) returned 1 [0109.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43d0 [0109.940] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.940] SystemFunction036 (in: RandomBuffer=0x29d43d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43d0) returned 1 [0109.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0109.941] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0109.941] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.942] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.942] GetTickCount () returned 0x115c996 [0109.942] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0109.942] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0109.942] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1145a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.942] SetLastError (dwErrCode=0x0) [0109.942] WriteFile (in: hFile=0x270, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.944] GetLastError () returned 0x0 [0109.944] GetLastError () returned 0x0 [0109.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1155a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.945] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1165a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.945] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c86d75c, dwHighDateTime=0x1d5f971)) [0109.945] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.945] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.945] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.945] GetProcessHeap () returned 0xbc0000 [0109.945] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1145a) returned 0xbf2638 [0109.945] GetSystemDefaultLangID () returned 0xbd0409 [0109.945] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.945] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1145a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1145a, lpOverlapped=0x0) returned 1 [0109.950] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.950] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1145a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1145a, lpOverlapped=0x0) returned 1 [0109.950] GetProcessHeap () returned 0xbc0000 [0109.950] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.950] CloseHandle (hObject=0x270) returned 1 [0109.950] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0109.950] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0109.950] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.950] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43d0 | out: hHeap=0x2680000) returned 1 [0109.950] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.950] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fi-fi.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fi-fi.htm.nefilim")) returned 1 [0109.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.951] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e0ee6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e0ee6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_fr-ca.htm", cAlternateFileName="EULA_F~2.HTM")) returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2=".") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="..") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="...") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="windows") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="rsa") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="NTDETECT.COM") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="ntldr") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="MSDOS.SYS") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="IO.SYS") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="boot.ini") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="ntuser.dat") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="desktop.ini") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="CONFIG.SYS") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="RECYCLER") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="bootmgr") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="programdata") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="appdata") returned 1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="program files") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="program files (x86)") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="microsoft") returned -1 [0109.951] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="sophos") returned -1 [0109.951] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.951] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.951] PathFindExtensionW (pszPath="EULA_fr-ca.htm") returned=".htm" [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.952] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.952] lstrcmpiW (lpString1="EULA_fr-ca.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.952] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.952] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=69386) returned 1 [0109.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43b8 [0109.952] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.952] SystemFunction036 (in: RandomBuffer=0x29d43b8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43b8) returned 1 [0109.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0109.952] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0109.953] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.953] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.954] GetTickCount () returned 0x115c9a5 [0109.954] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4d0 [0109.954] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4d0 | out: hHeap=0x2680000) returned 1 [0109.954] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10f0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.954] SetLastError (dwErrCode=0x0) [0109.954] WriteFile (in: hFile=0x270, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.958] GetLastError () returned 0x0 [0109.958] GetLastError () returned 0x0 [0109.958] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.958] WriteFile (in: hFile=0x270, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0109.958] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1110a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.958] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c86d75c, dwHighDateTime=0x1d5f971)) [0109.958] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0109.958] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.958] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0109.958] GetProcessHeap () returned 0xbc0000 [0109.958] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10f0a) returned 0xbf2638 [0109.960] GetSystemDefaultLangID () returned 0xbd0409 [0109.960] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.960] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10f0a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10f0a, lpOverlapped=0x0) returned 1 [0109.965] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.965] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10f0a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10f0a, lpOverlapped=0x0) returned 1 [0109.965] GetProcessHeap () returned 0xbc0000 [0109.965] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0109.965] CloseHandle (hObject=0x270) returned 1 [0109.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0109.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0109.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0109.965] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43b8 | out: hHeap=0x2680000) returned 1 [0109.965] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0109.965] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-ca.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-ca.htm.nefilim")) returned 1 [0109.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0109.966] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0109.966] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e2266, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e2266, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f0a, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_fr-fr.htm", cAlternateFileName="EULA_F~3.HTM")) returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2=".") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="..") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="...") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="windows") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="$RECYCLE.BIN") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="rsa") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="NTDETECT.COM") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="ntldr") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="MSDOS.SYS") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="IO.SYS") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="boot.ini") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="AUTOEXEC.BAT") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="ntuser.dat") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="desktop.ini") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="CONFIG.SYS") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="RECYCLER") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="BOOTSECT.BAK") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="bootmgr") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="programdata") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="appdata") returned 1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="program files") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="program files (x86)") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="microsoft") returned -1 [0109.966] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="sophos") returned -1 [0109.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0109.967] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0109.967] PathFindExtensionW (pszPath="EULA_fr-fr.htm") returned=".htm" [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0109.967] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0109.967] lstrcmpiW (lpString1="EULA_fr-fr.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0109.967] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0109.967] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0109.967] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=69386) returned 1 [0109.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0109.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4208 [0109.968] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0109.968] SystemFunction036 (in: RandomBuffer=0x29d4208, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4208) returned 1 [0109.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0109.968] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0109.968] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be798*=0x100) returned 1 [0109.969] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be794*=0x100) returned 1 [0109.971] GetTickCount () returned 0x115c9b5 [0109.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e8 [0109.971] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e8 | out: hHeap=0x2680000) returned 1 [0109.971] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10f0a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0109.971] SetLastError (dwErrCode=0x0) [0109.971] WriteFile (in: hFile=0x270, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.048] GetLastError () returned 0x0 [0110.048] GetLastError () returned 0x0 [0110.048] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1100a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.048] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.060] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1110a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.061] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3c97a1ba, dwHighDateTime=0x1d5f971)) [0110.061] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.061] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.061] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.062] GetProcessHeap () returned 0xbc0000 [0110.062] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10f0a) returned 0xbf2638 [0110.062] GetSystemDefaultLangID () returned 0xbd0409 [0110.062] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.062] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10f0a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10f0a, lpOverlapped=0x0) returned 1 [0110.082] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.082] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10f0a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10f0a, lpOverlapped=0x0) returned 1 [0110.083] GetProcessHeap () returned 0xbc0000 [0110.083] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.083] CloseHandle (hObject=0x270) returned 1 [0110.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0110.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0110.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4208 | out: hHeap=0x2680000) returned 1 [0110.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.084] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_fr-fr.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_fr-fr.htm.nefilim")) returned 1 [0110.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.087] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.087] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e35dd, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e35dd, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xd3187, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_he-il.htm", cAlternateFileName="EULA_H~1.HTM")) returned 1 [0110.087] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2=".") returned 1 [0110.087] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="..") returned 1 [0110.087] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="...") returned 1 [0110.087] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="windows") returned -1 [0110.087] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.094] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="rsa") returned -1 [0110.099] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="NTDETECT.COM") returned -1 [0110.101] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="ntldr") returned -1 [0110.105] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="MSDOS.SYS") returned -1 [0110.108] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="IO.SYS") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="boot.ini") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="ntuser.dat") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="desktop.ini") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="CONFIG.SYS") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="RECYCLER") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="bootmgr") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="programdata") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="appdata") returned 1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="program files") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="program files (x86)") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="microsoft") returned -1 [0110.111] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="sophos") returned -1 [0110.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.112] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.113] PathFindExtensionW (pszPath="EULA_he-il.htm") returned=".htm" [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.113] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.115] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.115] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.115] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.115] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.115] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.115] lstrcmpiW (lpString1="EULA_he-il.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.115] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.115] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.116] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=864647) returned 1 [0110.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4148 [0110.117] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.117] SystemFunction036 (in: RandomBuffer=0x29d4148, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4148) returned 1 [0110.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0110.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0110.118] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.119] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.121] GetTickCount () returned 0x115ca51 [0110.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0110.121] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0110.121] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd3187, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.121] SetLastError (dwErrCode=0x0) [0110.121] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.126] GetLastError () returned 0x0 [0110.126] GetLastError () returned 0x0 [0110.126] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd3287, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.126] WriteFile (in: hFile=0x270, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.126] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xd3387, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.126] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ca1102a, dwHighDateTime=0x1d5f971)) [0110.126] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.127] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.127] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.127] GetProcessHeap () returned 0xbc0000 [0110.127] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xd3187) returned 0xa3b020 [0110.129] GetSystemDefaultLangID () returned 0xbd0409 [0110.129] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.129] ReadFile (in: hFile=0x270, lpBuffer=0xa3b020, nNumberOfBytesToRead=0xd3187, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xa3b020*, lpNumberOfBytesRead=0x25be7fc*=0xd3187, lpOverlapped=0x0) returned 1 [0110.267] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.267] WriteFile (in: hFile=0x270, lpBuffer=0xa3b020*, nNumberOfBytesToWrite=0xd3187, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xa3b020*, lpNumberOfBytesWritten=0x25be7f0*=0xd3187, lpOverlapped=0x0) returned 1 [0110.269] GetProcessHeap () returned 0xbc0000 [0110.269] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xa3b020 | out: hHeap=0xbc0000) returned 1 [0110.463] CloseHandle (hObject=0x270) returned 1 [0110.463] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0110.463] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0110.463] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.463] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4148 | out: hHeap=0x2680000) returned 1 [0110.463] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.463] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_he-il.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_he-il.htm.nefilim")) returned 1 [0110.464] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.464] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.464] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3e977f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3e977f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfd68, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_hr-hr.htm", cAlternateFileName="EULA_H~2.HTM")) returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2=".") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="..") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="...") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="windows") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="rsa") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="NTDETECT.COM") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="ntldr") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="MSDOS.SYS") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="IO.SYS") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="boot.ini") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="ntuser.dat") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="desktop.ini") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="CONFIG.SYS") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="RECYCLER") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="bootmgr") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="programdata") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="appdata") returned 1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="program files") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="program files (x86)") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="microsoft") returned -1 [0110.464] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="sophos") returned -1 [0110.464] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.464] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.464] PathFindExtensionW (pszPath="EULA_hr-hr.htm") returned=".htm" [0110.464] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.464] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.464] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.465] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.465] lstrcmpiW (lpString1="EULA_hr-hr.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.465] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.465] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.466] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=64872) returned 1 [0110.466] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.466] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4190 [0110.466] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.466] SystemFunction036 (in: RandomBuffer=0x29d4190, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4190) returned 1 [0110.466] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0110.466] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0110.466] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.468] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.470] GetTickCount () returned 0x115cba9 [0110.470] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3f0 [0110.470] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f0 | out: hHeap=0x2680000) returned 1 [0110.470] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfd68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.470] SetLastError (dwErrCode=0x0) [0110.470] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.472] GetLastError () returned 0x0 [0110.472] GetLastError () returned 0x0 [0110.472] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xfe68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.472] WriteFile (in: hFile=0x270, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.472] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0xff68, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.472] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3cd5852c, dwHighDateTime=0x1d5f971)) [0110.472] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.472] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.472] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.472] GetProcessHeap () returned 0xbc0000 [0110.472] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfd68) returned 0xbf2638 [0110.474] GetSystemDefaultLangID () returned 0xbd0409 [0110.474] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.474] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0xfd68, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0xfd68, lpOverlapped=0x0) returned 1 [0110.493] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.493] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0xfd68, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0xfd68, lpOverlapped=0x0) returned 1 [0110.494] GetProcessHeap () returned 0xbc0000 [0110.494] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.494] CloseHandle (hObject=0x270) returned 1 [0110.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0110.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0110.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.494] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4190 | out: hHeap=0x2680000) returned 1 [0110.494] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.494] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hr-hr.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hr-hr.htm.nefilim")) returned 1 [0110.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.495] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ebeab, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ebeab, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14a5a, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_hu-hu.htm", cAlternateFileName="EULA_H~3.HTM")) returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2=".") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="..") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="...") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="windows") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="rsa") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="NTDETECT.COM") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="ntldr") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="MSDOS.SYS") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="IO.SYS") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="boot.ini") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="ntuser.dat") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="desktop.ini") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="CONFIG.SYS") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="RECYCLER") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="bootmgr") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="programdata") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="appdata") returned 1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="program files") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="program files (x86)") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="microsoft") returned -1 [0110.495] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="sophos") returned -1 [0110.495] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.495] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.496] PathFindExtensionW (pszPath="EULA_hu-hu.htm") returned=".htm" [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.496] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.496] lstrcmpiW (lpString1="EULA_hu-hu.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.496] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.496] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=84570) returned 1 [0110.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.496] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4280 [0110.497] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.497] SystemFunction036 (in: RandomBuffer=0x29d4280, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4280) returned 1 [0110.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0110.497] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0110.497] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.498] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.500] GetTickCount () returned 0x115cbc8 [0110.500] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0110.500] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0110.500] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14a5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.500] SetLastError (dwErrCode=0x0) [0110.500] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.598] GetLastError () returned 0x0 [0110.598] GetLastError () returned 0x0 [0110.598] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14b5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.598] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.598] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14c5a, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.598] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ce899f1, dwHighDateTime=0x1d5f971)) [0110.598] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.598] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.598] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.598] GetProcessHeap () returned 0xbc0000 [0110.598] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14a5a) returned 0xbf2638 [0110.599] GetSystemDefaultLangID () returned 0xbd0409 [0110.599] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.599] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x14a5a, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x14a5a, lpOverlapped=0x0) returned 1 [0110.613] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.613] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x14a5a, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x14a5a, lpOverlapped=0x0) returned 1 [0110.614] GetProcessHeap () returned 0xbc0000 [0110.615] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.615] CloseHandle (hObject=0x270) returned 1 [0110.615] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0110.615] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0110.615] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.615] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4280 | out: hHeap=0x2680000) returned 1 [0110.615] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.615] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_hu-hu.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_hu-hu.htm.nefilim")) returned 1 [0110.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.616] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.616] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ed234, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ed234, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10f6d, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_it-it.htm", cAlternateFileName="EULA_I~1.HTM")) returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2=".") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="..") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="...") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="windows") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="rsa") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="NTDETECT.COM") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="ntldr") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="MSDOS.SYS") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="IO.SYS") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="boot.ini") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="ntuser.dat") returned -1 [0110.616] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="desktop.ini") returned 1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="CONFIG.SYS") returned 1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="RECYCLER") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="bootmgr") returned 1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="programdata") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="appdata") returned 1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="program files") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="program files (x86)") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="microsoft") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="sophos") returned -1 [0110.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.617] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.617] PathFindExtensionW (pszPath="EULA_it-it.htm") returned=".htm" [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.617] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.617] lstrcmpiW (lpString1="EULA_it-it.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.617] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.617] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.618] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=69485) returned 1 [0110.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4358 [0110.618] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.618] SystemFunction036 (in: RandomBuffer=0x29d4358, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4358) returned 1 [0110.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0110.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0110.618] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.618] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.618] GetTickCount () returned 0x115cc45 [0110.618] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0110.619] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0110.619] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10f6d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.619] SetLastError (dwErrCode=0x0) [0110.619] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.620] GetLastError () returned 0x0 [0110.620] GetLastError () returned 0x0 [0110.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1106d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.620] WriteFile (in: hFile=0x270, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.620] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1116d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.620] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3ced5c64, dwHighDateTime=0x1d5f971)) [0110.620] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.620] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.620] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.621] GetProcessHeap () returned 0xbc0000 [0110.621] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10f6d) returned 0xbf2638 [0110.621] GetSystemDefaultLangID () returned 0xbd0409 [0110.621] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.621] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10f6d, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10f6d, lpOverlapped=0x0) returned 1 [0110.624] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.624] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10f6d, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10f6d, lpOverlapped=0x0) returned 1 [0110.625] GetProcessHeap () returned 0xbc0000 [0110.625] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.625] CloseHandle (hObject=0x270) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4358 | out: hHeap=0x2680000) returned 1 [0110.625] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.625] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_it-it.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_it-it.htm.nefilim")) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.625] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.625] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ef94a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ef94a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3354e, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_ja-jp.htm", cAlternateFileName="EULA_J~1.HTM")) returned 1 [0110.625] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2=".") returned 1 [0110.625] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="..") returned 1 [0110.625] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="...") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="windows") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="rsa") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="NTDETECT.COM") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="ntldr") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="MSDOS.SYS") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="IO.SYS") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="boot.ini") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="ntuser.dat") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="desktop.ini") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="CONFIG.SYS") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="RECYCLER") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="bootmgr") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="programdata") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="appdata") returned 1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="program files") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="program files (x86)") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="microsoft") returned -1 [0110.626] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="sophos") returned -1 [0110.626] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.626] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.626] PathFindExtensionW (pszPath="EULA_ja-jp.htm") returned=".htm" [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.626] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.627] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.627] lstrcmpiW (lpString1="EULA_ja-jp.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.627] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.627] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=210254) returned 1 [0110.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40a0 [0110.627] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.627] SystemFunction036 (in: RandomBuffer=0x29d40a0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40a0) returned 1 [0110.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0110.627] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0110.627] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.628] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.628] GetTickCount () returned 0x115cc45 [0110.628] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0110.628] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0110.628] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3354e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.628] SetLastError (dwErrCode=0x0) [0110.628] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.633] GetLastError () returned 0x0 [0110.633] GetLastError () returned 0x0 [0110.633] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3364e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.633] WriteFile (in: hFile=0x270, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.633] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3374e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.633] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3cefbef0, dwHighDateTime=0x1d5f971)) [0110.633] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.633] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.633] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.633] GetProcessHeap () returned 0xbc0000 [0110.633] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3354e) returned 0xbf2638 [0110.633] GetSystemDefaultLangID () returned 0xbd0409 [0110.633] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.633] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3354e, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3354e, lpOverlapped=0x0) returned 1 [0110.644] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.644] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3354e, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3354e, lpOverlapped=0x0) returned 1 [0110.645] GetProcessHeap () returned 0xbc0000 [0110.645] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.645] CloseHandle (hObject=0x270) returned 1 [0110.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0110.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0110.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.645] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40a0 | out: hHeap=0x2680000) returned 1 [0110.645] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.645] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ja-jp.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ja-jp.htm.nefilim")) returned 1 [0110.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.646] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.646] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f205a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f205a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ace3, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_ko-kr.htm", cAlternateFileName="EULA_K~1.HTM")) returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2=".") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="..") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="...") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="windows") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="rsa") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="NTDETECT.COM") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="ntldr") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="MSDOS.SYS") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="IO.SYS") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="boot.ini") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="ntuser.dat") returned -1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="desktop.ini") returned 1 [0110.646] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="CONFIG.SYS") returned 1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="RECYCLER") returned -1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="bootmgr") returned 1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="programdata") returned -1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="appdata") returned 1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="program files") returned -1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="program files (x86)") returned -1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="microsoft") returned -1 [0110.799] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="sophos") returned -1 [0110.799] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.799] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.800] PathFindExtensionW (pszPath="EULA_ko-kr.htm") returned=".htm" [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.800] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.800] lstrcmpiW (lpString1="EULA_ko-kr.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.800] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.801] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=634083) returned 1 [0110.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4220 [0110.801] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.801] SystemFunction036 (in: RandomBuffer=0x29d4220, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4220) returned 1 [0110.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0110.801] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0110.801] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.803] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.805] GetTickCount () returned 0x115cd01 [0110.805] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0110.805] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0110.805] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9ace3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.805] SetLastError (dwErrCode=0x0) [0110.805] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.806] GetLastError () returned 0x0 [0110.806] GetLastError () returned 0x0 [0110.807] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9ade3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.807] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.807] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x9aee3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.807] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d09f838, dwHighDateTime=0x1d5f971)) [0110.807] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.807] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.807] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.807] GetProcessHeap () returned 0xbc0000 [0110.807] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9ace3) returned 0xa30020 [0110.809] GetSystemDefaultLangID () returned 0xbd0409 [0110.809] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.809] ReadFile (in: hFile=0x270, lpBuffer=0xa30020, nNumberOfBytesToRead=0x9ace3, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xa30020*, lpNumberOfBytesRead=0x25be7fc*=0x9ace3, lpOverlapped=0x0) returned 1 [0110.921] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.921] WriteFile (in: hFile=0x270, lpBuffer=0xa30020*, nNumberOfBytesToWrite=0x9ace3, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xa30020*, lpNumberOfBytesWritten=0x25be7f0*=0x9ace3, lpOverlapped=0x0) returned 1 [0110.922] GetProcessHeap () returned 0xbc0000 [0110.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xa30020 | out: hHeap=0xbc0000) returned 1 [0110.926] CloseHandle (hObject=0x270) returned 1 [0110.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0110.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0110.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4220 | out: hHeap=0x2680000) returned 1 [0110.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.926] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ko-kr.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ko-kr.htm.nefilim")) returned 1 [0110.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.927] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.927] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f33e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f33e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1293b, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_lt-lt.htm", cAlternateFileName="EULA_L~1.HTM")) returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2=".") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="..") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="...") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="windows") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="rsa") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="NTDETECT.COM") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="ntldr") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="MSDOS.SYS") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="IO.SYS") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="boot.ini") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="ntuser.dat") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="desktop.ini") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="CONFIG.SYS") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="RECYCLER") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="bootmgr") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="programdata") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="appdata") returned 1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="program files") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="program files (x86)") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="microsoft") returned -1 [0110.927] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="sophos") returned -1 [0110.927] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.927] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.927] PathFindExtensionW (pszPath="EULA_lt-lt.htm") returned=".htm" [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.927] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.930] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.930] lstrcmpiW (lpString1="EULA_lt-lt.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.930] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.930] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.931] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=76091) returned 1 [0110.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4298 [0110.931] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.931] SystemFunction036 (in: RandomBuffer=0x29d4298, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4298) returned 1 [0110.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0110.931] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0110.931] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.931] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.932] GetTickCount () returned 0x115cd7e [0110.932] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4d0 [0110.932] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4d0 | out: hHeap=0x2680000) returned 1 [0110.932] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1293b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.932] SetLastError (dwErrCode=0x0) [0110.932] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.970] GetLastError () returned 0x0 [0110.971] GetLastError () returned 0x0 [0110.971] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12a3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.971] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.971] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12b3b, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.971] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d21d08a, dwHighDateTime=0x1d5f971)) [0110.971] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.971] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.971] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.971] GetProcessHeap () returned 0xbc0000 [0110.971] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1293b) returned 0xbf2638 [0110.971] GetSystemDefaultLangID () returned 0xbd0409 [0110.971] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.971] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1293b, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1293b, lpOverlapped=0x0) returned 1 [0110.979] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.979] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1293b, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1293b, lpOverlapped=0x0) returned 1 [0110.980] GetProcessHeap () returned 0xbc0000 [0110.980] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.980] CloseHandle (hObject=0x270) returned 1 [0110.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0110.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0110.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.980] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4298 | out: hHeap=0x2680000) returned 1 [0110.980] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.980] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lt-lt.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lt-lt.htm.nefilim")) returned 1 [0110.981] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.981] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.981] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3f5af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3f5af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x147c5, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_lv-lv.htm", cAlternateFileName="EULA_L~2.HTM")) returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2=".") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="..") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="...") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="windows") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="rsa") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="NTDETECT.COM") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="ntldr") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="MSDOS.SYS") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="IO.SYS") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="boot.ini") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="ntuser.dat") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="desktop.ini") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="CONFIG.SYS") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="RECYCLER") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="bootmgr") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="programdata") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="appdata") returned 1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="program files") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="program files (x86)") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="microsoft") returned -1 [0110.981] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="sophos") returned -1 [0110.981] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.982] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.982] PathFindExtensionW (pszPath="EULA_lv-lv.htm") returned=".htm" [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.982] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.982] lstrcmpiW (lpString1="EULA_lv-lv.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.982] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.982] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.982] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=83909) returned 1 [0110.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43d0 [0110.983] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.983] SystemFunction036 (in: RandomBuffer=0x29d43d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43d0) returned 1 [0110.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0110.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0110.983] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.983] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.983] GetTickCount () returned 0x115cdad [0110.983] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0110.983] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0110.983] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x147c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.983] SetLastError (dwErrCode=0x0) [0110.983] WriteFile (in: hFile=0x270, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.985] GetLastError () returned 0x0 [0110.985] GetLastError () returned 0x0 [0110.985] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x148c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.985] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0110.985] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x149c5, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.985] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d2458d5, dwHighDateTime=0x1d5f971)) [0110.985] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0110.985] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.985] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0110.985] GetProcessHeap () returned 0xbc0000 [0110.985] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x147c5) returned 0xbf2638 [0110.985] GetSystemDefaultLangID () returned 0xbd0409 [0110.985] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.985] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x147c5, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x147c5, lpOverlapped=0x0) returned 1 [0110.991] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.991] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x147c5, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x147c5, lpOverlapped=0x0) returned 1 [0110.991] GetProcessHeap () returned 0xbc0000 [0110.991] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0110.991] CloseHandle (hObject=0x270) returned 1 [0110.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0110.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0110.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0110.991] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43d0 | out: hHeap=0x2680000) returned 1 [0110.991] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0110.991] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_lv-lv.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_lv-lv.htm.nefilim")) returned 1 [0110.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0110.992] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0110.992] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fa921, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fa921, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10674, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_nb-no.htm", cAlternateFileName="EULA_N~1.HTM")) returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2=".") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="..") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="...") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="windows") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="$RECYCLE.BIN") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="rsa") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="NTDETECT.COM") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="ntldr") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="MSDOS.SYS") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="IO.SYS") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="boot.ini") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="AUTOEXEC.BAT") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="ntuser.dat") returned -1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="desktop.ini") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="CONFIG.SYS") returned 1 [0110.992] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="RECYCLER") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="BOOTSECT.BAK") returned 1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="bootmgr") returned 1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="programdata") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="appdata") returned 1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="program files") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="program files (x86)") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="microsoft") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="sophos") returned -1 [0110.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0110.993] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0110.993] PathFindExtensionW (pszPath="EULA_nb-no.htm") returned=".htm" [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0110.993] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0110.993] lstrcmpiW (lpString1="EULA_nb-no.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0110.993] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0110.993] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0110.994] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=67188) returned 1 [0110.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0110.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43b8 [0110.994] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0110.994] SystemFunction036 (in: RandomBuffer=0x29d43b8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43b8) returned 1 [0110.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0110.994] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0110.994] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x100) returned 1 [0110.995] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be794*=0x100) returned 1 [0110.997] GetTickCount () returned 0x115cdbc [0110.997] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0110.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0110.997] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10674, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0110.997] SetLastError (dwErrCode=0x0) [0110.997] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.141] GetLastError () returned 0x0 [0111.141] GetLastError () returned 0x0 [0111.141] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10774, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.141] WriteFile (in: hFile=0x270, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.142] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10874, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.142] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d3c0be8, dwHighDateTime=0x1d5f971)) [0111.142] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.142] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.142] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.142] GetProcessHeap () returned 0xbc0000 [0111.142] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10674) returned 0xbf2638 [0111.142] GetSystemDefaultLangID () returned 0xbd0409 [0111.142] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.142] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10674, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10674, lpOverlapped=0x0) returned 1 [0111.149] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.149] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10674, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10674, lpOverlapped=0x0) returned 1 [0111.149] GetProcessHeap () returned 0xbc0000 [0111.149] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.149] CloseHandle (hObject=0x270) returned 1 [0111.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0111.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0111.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.149] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43b8 | out: hHeap=0x2680000) returned 1 [0111.150] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.150] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nb-no.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nb-no.htm.nefilim")) returned 1 [0111.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.151] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.151] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3fe3b1, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3fe3b1, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10698, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_nl-nl.htm", cAlternateFileName="EULA_N~2.HTM")) returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2=".") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="..") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="...") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="windows") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="rsa") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="NTDETECT.COM") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="ntldr") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="MSDOS.SYS") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="IO.SYS") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="boot.ini") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="ntuser.dat") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="desktop.ini") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="CONFIG.SYS") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="RECYCLER") returned -1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="bootmgr") returned 1 [0111.151] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="programdata") returned -1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="appdata") returned 1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="program files") returned -1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="program files (x86)") returned -1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="microsoft") returned -1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="sophos") returned -1 [0111.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.152] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.152] PathFindExtensionW (pszPath="EULA_nl-nl.htm") returned=".htm" [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.152] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.152] lstrcmpiW (lpString1="EULA_nl-nl.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.152] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.152] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.153] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=67224) returned 1 [0111.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4388 [0111.153] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.153] SystemFunction036 (in: RandomBuffer=0x29d4388, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4388) returned 1 [0111.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0111.153] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0111.153] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.153] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.155] GetTickCount () returned 0x115ce58 [0111.155] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0111.155] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0111.155] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10698, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.155] SetLastError (dwErrCode=0x0) [0111.155] WriteFile (in: hFile=0x270, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.198] GetLastError () returned 0x0 [0111.198] GetLastError () returned 0x0 [0111.198] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10798, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.198] WriteFile (in: hFile=0x270, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.198] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10898, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.198] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d45933f, dwHighDateTime=0x1d5f971)) [0111.198] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.198] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.198] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.198] GetProcessHeap () returned 0xbc0000 [0111.198] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10698) returned 0xbf2638 [0111.199] GetSystemDefaultLangID () returned 0xbd0409 [0111.199] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.199] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10698, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10698, lpOverlapped=0x0) returned 1 [0111.204] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.204] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10698, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10698, lpOverlapped=0x0) returned 1 [0111.204] GetProcessHeap () returned 0xbc0000 [0111.204] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.204] CloseHandle (hObject=0x270) returned 1 [0111.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0111.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0111.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.204] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4388 | out: hHeap=0x2680000) returned 1 [0111.204] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.204] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_nl-nl.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_nl-nl.htm.nefilim")) returned 1 [0111.205] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.205] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.205] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea3ff747, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea3ff747, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13f94, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_pl-pl.htm", cAlternateFileName="EULA_P~1.HTM")) returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2=".") returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="..") returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="...") returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="windows") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="rsa") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="NTDETECT.COM") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="ntldr") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="MSDOS.SYS") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="IO.SYS") returned -1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="boot.ini") returned 1 [0111.205] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="ntuser.dat") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="desktop.ini") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="CONFIG.SYS") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="RECYCLER") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="bootmgr") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="programdata") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="appdata") returned 1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="program files") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="program files (x86)") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="microsoft") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="sophos") returned -1 [0111.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.206] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.206] PathFindExtensionW (pszPath="EULA_pl-pl.htm") returned=".htm" [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.206] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.206] lstrcmpiW (lpString1="EULA_pl-pl.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.206] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.206] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.207] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=81812) returned 1 [0111.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4208 [0111.207] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.207] SystemFunction036 (in: RandomBuffer=0x29d4208, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4208) returned 1 [0111.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0111.207] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0111.207] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.208] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.211] GetTickCount () returned 0x115ce97 [0111.211] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0111.211] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0111.211] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13f94, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.211] SetLastError (dwErrCode=0x0) [0111.211] WriteFile (in: hFile=0x270, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.213] GetLastError () returned 0x0 [0111.213] GetLastError () returned 0x0 [0111.213] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14094, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.213] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.213] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14194, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.213] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d47f76c, dwHighDateTime=0x1d5f971)) [0111.213] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.213] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.213] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.213] GetProcessHeap () returned 0xbc0000 [0111.213] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13f94) returned 0xbf2638 [0111.213] GetSystemDefaultLangID () returned 0xbd0409 [0111.213] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.213] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13f94, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13f94, lpOverlapped=0x0) returned 1 [0111.218] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.219] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13f94, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13f94, lpOverlapped=0x0) returned 1 [0111.219] GetProcessHeap () returned 0xbc0000 [0111.219] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.219] CloseHandle (hObject=0x270) returned 1 [0111.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0111.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0111.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.219] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4208 | out: hHeap=0x2680000) returned 1 [0111.219] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.219] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pl-pl.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pl-pl.htm.nefilim")) returned 1 [0111.220] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.220] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.220] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea400ac7, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea400ac7, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x10ac4, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_pt-br.htm", cAlternateFileName="EULA_P~2.HTM")) returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2=".") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="..") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="...") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="windows") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="rsa") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="NTDETECT.COM") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="ntldr") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="MSDOS.SYS") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="IO.SYS") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="boot.ini") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="ntuser.dat") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="desktop.ini") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="CONFIG.SYS") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="RECYCLER") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="bootmgr") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="programdata") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="appdata") returned 1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="program files") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="program files (x86)") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="microsoft") returned -1 [0111.220] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="sophos") returned -1 [0111.220] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.220] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.220] PathFindExtensionW (pszPath="EULA_pt-br.htm") returned=".htm" [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.221] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.221] lstrcmpiW (lpString1="EULA_pt-br.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.221] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.221] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.221] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=68292) returned 1 [0111.221] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.221] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42e0 [0111.221] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.222] SystemFunction036 (in: RandomBuffer=0x29d42e0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42e0) returned 1 [0111.222] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d30f8 [0111.222] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3620 [0111.222] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d30f8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d30f8*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.222] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3620*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3620*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.222] GetTickCount () returned 0x115ce97 [0111.222] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0111.222] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0111.222] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10ac4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.222] SetLastError (dwErrCode=0x0) [0111.222] WriteFile (in: hFile=0x270, lpBuffer=0x29d30f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d30f8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.275] GetLastError () returned 0x0 [0111.275] GetLastError () returned 0x0 [0111.275] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10bc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.275] WriteFile (in: hFile=0x270, lpBuffer=0x29d3620*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3620*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.275] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x10cc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.275] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d517fd6, dwHighDateTime=0x1d5f971)) [0111.275] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.275] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.275] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.275] GetProcessHeap () returned 0xbc0000 [0111.275] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x10ac4) returned 0xbf2638 [0111.275] GetSystemDefaultLangID () returned 0xbd0409 [0111.275] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.275] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x10ac4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x10ac4, lpOverlapped=0x0) returned 1 [0111.279] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.279] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x10ac4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x10ac4, lpOverlapped=0x0) returned 1 [0111.280] GetProcessHeap () returned 0xbc0000 [0111.280] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.280] CloseHandle (hObject=0x270) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d30f8 | out: hHeap=0x2680000) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3620 | out: hHeap=0x2680000) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42e0 | out: hHeap=0x2680000) returned 1 [0111.280] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.280] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-br.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-br.htm.nefilim")) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.280] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.281] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea401e7f, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea401e7f, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1158e, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_pt-pt.htm", cAlternateFileName="EULA_P~3.HTM")) returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2=".") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="..") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="...") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="windows") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="rsa") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="NTDETECT.COM") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="ntldr") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="MSDOS.SYS") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="IO.SYS") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="boot.ini") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="ntuser.dat") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="desktop.ini") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="CONFIG.SYS") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="RECYCLER") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="bootmgr") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="programdata") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="appdata") returned 1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="program files") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="program files (x86)") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="microsoft") returned -1 [0111.281] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="sophos") returned -1 [0111.281] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.281] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.281] PathFindExtensionW (pszPath="EULA_pt-pt.htm") returned=".htm" [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.281] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.282] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.282] lstrcmpiW (lpString1="EULA_pt-pt.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.282] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.282] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=71054) returned 1 [0111.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42f8 [0111.282] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.282] SystemFunction036 (in: RandomBuffer=0x29d42f8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42f8) returned 1 [0111.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3728 [0111.282] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0111.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3728*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3728*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.283] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.283] GetTickCount () returned 0x115ced5 [0111.283] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0111.283] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0111.283] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1158e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.283] SetLastError (dwErrCode=0x0) [0111.283] WriteFile (in: hFile=0x270, lpBuffer=0x29d3728*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3728*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.285] GetLastError () returned 0x0 [0111.285] GetLastError () returned 0x0 [0111.285] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1168e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.285] WriteFile (in: hFile=0x270, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.285] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1178e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.285] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d517fd6, dwHighDateTime=0x1d5f971)) [0111.285] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.285] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.285] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.285] GetProcessHeap () returned 0xbc0000 [0111.285] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1158e) returned 0xbf2638 [0111.285] GetSystemDefaultLangID () returned 0xbd0409 [0111.285] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.285] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1158e, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1158e, lpOverlapped=0x0) returned 1 [0111.289] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.289] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1158e, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1158e, lpOverlapped=0x0) returned 1 [0111.289] GetProcessHeap () returned 0xbc0000 [0111.289] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.289] CloseHandle (hObject=0x270) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3728 | out: hHeap=0x2680000) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42f8 | out: hHeap=0x2680000) returned 1 [0111.290] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.290] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_pt-pt.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_pt-pt.htm.nefilim")) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.290] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.290] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5c6190, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5c6190, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x13160, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_ro-ro.htm", cAlternateFileName="EULA_R~1.HTM")) returned 1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2=".") returned 1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="..") returned 1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="...") returned 1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="windows") returned -1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="rsa") returned -1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="NTDETECT.COM") returned -1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="ntldr") returned -1 [0111.290] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="MSDOS.SYS") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="IO.SYS") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="boot.ini") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="ntuser.dat") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="desktop.ini") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="CONFIG.SYS") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="RECYCLER") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="bootmgr") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="programdata") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="appdata") returned 1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="program files") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="program files (x86)") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="microsoft") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="sophos") returned -1 [0111.291] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.291] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.291] PathFindExtensionW (pszPath="EULA_ro-ro.htm") returned=".htm" [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.291] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.291] lstrcmpiW (lpString1="EULA_ro-ro.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.292] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.292] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=78176) returned 1 [0111.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4130 [0111.292] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.292] SystemFunction036 (in: RandomBuffer=0x29d4130, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4130) returned 1 [0111.292] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0111.293] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2288 [0111.293] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.294] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2288*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2288*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.296] GetTickCount () returned 0x115cee5 [0111.296] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3f0 [0111.296] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f0 | out: hHeap=0x2680000) returned 1 [0111.296] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13160, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.296] SetLastError (dwErrCode=0x0) [0111.296] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.306] GetLastError () returned 0x0 [0111.306] GetLastError () returned 0x0 [0111.306] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13260, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.306] WriteFile (in: hFile=0x270, lpBuffer=0x29d2288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2288*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.306] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x13360, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.306] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d564320, dwHighDateTime=0x1d5f971)) [0111.306] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.306] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.306] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.306] GetProcessHeap () returned 0xbc0000 [0111.306] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x13160) returned 0xbf2638 [0111.306] GetSystemDefaultLangID () returned 0xbd0409 [0111.306] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.306] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x13160, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x13160, lpOverlapped=0x0) returned 1 [0111.311] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.311] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x13160, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x13160, lpOverlapped=0x0) returned 1 [0111.312] GetProcessHeap () returned 0xbc0000 [0111.312] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.312] CloseHandle (hObject=0x270) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2288 | out: hHeap=0x2680000) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4130 | out: hHeap=0x2680000) returned 1 [0111.312] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.312] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ro-ro.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ro-ro.htm.nefilim")) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.312] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.312] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x454cc, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_ru-ru.htm", cAlternateFileName="EULA_R~2.HTM")) returned 1 [0111.312] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2=".") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="..") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="...") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="windows") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="rsa") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="NTDETECT.COM") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="ntldr") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="MSDOS.SYS") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="IO.SYS") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="boot.ini") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="ntuser.dat") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="desktop.ini") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="CONFIG.SYS") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="RECYCLER") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="bootmgr") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="programdata") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="appdata") returned 1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="program files") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="program files (x86)") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="microsoft") returned -1 [0111.313] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="sophos") returned -1 [0111.313] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.313] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.313] PathFindExtensionW (pszPath="EULA_ru-ru.htm") returned=".htm" [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.313] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.314] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.314] lstrcmpiW (lpString1="EULA_ru-ru.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.314] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.314] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=283852) returned 1 [0111.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4178 [0111.314] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.314] SystemFunction036 (in: RandomBuffer=0x29d4178, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4178) returned 1 [0111.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2078 [0111.314] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3830 [0111.314] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2078*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2078*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.315] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3830*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3830*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.316] GetTickCount () returned 0x115cef5 [0111.316] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0111.316] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0111.316] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x454cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.316] SetLastError (dwErrCode=0x0) [0111.316] WriteFile (in: hFile=0x270, lpBuffer=0x29d2078*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2078*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.352] GetLastError () returned 0x0 [0111.352] GetLastError () returned 0x0 [0111.352] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x455cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.352] WriteFile (in: hFile=0x270, lpBuffer=0x29d3830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3830*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.352] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x456cc, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.352] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d5d6ce7, dwHighDateTime=0x1d5f971)) [0111.352] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.352] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.352] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.352] GetProcessHeap () returned 0xbc0000 [0111.352] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x454cc) returned 0xbf2638 [0111.354] GetSystemDefaultLangID () returned 0xbd0409 [0111.354] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.354] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x454cc, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x454cc, lpOverlapped=0x0) returned 1 [0111.577] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.577] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x454cc, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x454cc, lpOverlapped=0x0) returned 1 [0111.578] GetProcessHeap () returned 0xbc0000 [0111.578] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.578] CloseHandle (hObject=0x270) returned 1 [0111.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2078 | out: hHeap=0x2680000) returned 1 [0111.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3830 | out: hHeap=0x2680000) returned 1 [0111.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4178 | out: hHeap=0x2680000) returned 1 [0111.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.578] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_ru-ru.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_ru-ru.htm.nefilim")) returned 1 [0111.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.579] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x14021, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_sk-sk.htm", cAlternateFileName="EULA_S~1.HTM")) returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2=".") returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="..") returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="...") returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="windows") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="rsa") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="NTDETECT.COM") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="ntldr") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="MSDOS.SYS") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="IO.SYS") returned -1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="boot.ini") returned 1 [0111.579] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="ntuser.dat") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="desktop.ini") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="CONFIG.SYS") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="RECYCLER") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="bootmgr") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="programdata") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="appdata") returned 1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="program files") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="program files (x86)") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="microsoft") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="sophos") returned -1 [0111.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.580] PathFindExtensionW (pszPath="EULA_sk-sk.htm") returned=".htm" [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.580] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.580] lstrcmpiW (lpString1="EULA_sk-sk.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.580] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.581] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=81953) returned 1 [0111.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d41a8 [0111.581] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.581] SystemFunction036 (in: RandomBuffer=0x29d41a8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d41a8) returned 1 [0111.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0111.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0111.581] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.583] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.585] GetTickCount () returned 0x115d00e [0111.585] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0111.585] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0111.585] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14021, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.585] SetLastError (dwErrCode=0x0) [0111.585] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.586] GetLastError () returned 0x0 [0111.586] GetLastError () returned 0x0 [0111.587] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14121, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.587] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.587] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x14221, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.587] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d812eb6, dwHighDateTime=0x1d5f971)) [0111.587] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.587] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.587] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.587] GetProcessHeap () returned 0xbc0000 [0111.587] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x14021) returned 0xbf2638 [0111.587] GetSystemDefaultLangID () returned 0xbd0409 [0111.587] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.587] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x14021, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x14021, lpOverlapped=0x0) returned 1 [0111.592] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.592] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x14021, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x14021, lpOverlapped=0x0) returned 1 [0111.592] GetProcessHeap () returned 0xbc0000 [0111.592] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.592] CloseHandle (hObject=0x270) returned 1 [0111.592] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0111.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0111.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d41a8 | out: hHeap=0x2680000) returned 1 [0111.593] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.593] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sk-sk.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sk-sk.htm.nefilim")) returned 1 [0111.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.593] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.593] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5cfdc2, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5cfdc2, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1026f, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_sl-si.htm", cAlternateFileName="EULA_S~2.HTM")) returned 1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2=".") returned 1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="..") returned 1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="...") returned 1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="windows") returned -1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="rsa") returned -1 [0111.593] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="NTDETECT.COM") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="ntldr") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="MSDOS.SYS") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="IO.SYS") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="boot.ini") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="ntuser.dat") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="desktop.ini") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="CONFIG.SYS") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="RECYCLER") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="bootmgr") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="programdata") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="appdata") returned 1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="program files") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="program files (x86)") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="microsoft") returned -1 [0111.594] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="sophos") returned -1 [0111.594] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.594] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.594] PathFindExtensionW (pszPath="EULA_sl-si.htm") returned=".htm" [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.594] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.595] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.595] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.595] lstrcmpiW (lpString1="EULA_sl-si.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.595] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.595] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=66159) returned 1 [0111.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4160 [0111.595] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.595] SystemFunction036 (in: RandomBuffer=0x29d4160, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4160) returned 1 [0111.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0111.595] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3518 [0111.595] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.595] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3518*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3518*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.596] GetTickCount () returned 0x115d00e [0111.596] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0111.596] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0111.596] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1026f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.596] SetLastError (dwErrCode=0x0) [0111.596] WriteFile (in: hFile=0x270, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.720] GetLastError () returned 0x0 [0111.720] GetLastError () returned 0x0 [0111.720] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1036f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.720] WriteFile (in: hFile=0x270, lpBuffer=0x29d3518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3518*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.720] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1046f, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.720] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d94401b, dwHighDateTime=0x1d5f971)) [0111.720] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.720] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.720] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.720] GetProcessHeap () returned 0xbc0000 [0111.720] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1026f) returned 0xbf2638 [0111.720] GetSystemDefaultLangID () returned 0xbd0409 [0111.720] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.720] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1026f, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1026f, lpOverlapped=0x0) returned 1 [0111.724] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.724] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1026f, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1026f, lpOverlapped=0x0) returned 1 [0111.724] GetProcessHeap () returned 0xbc0000 [0111.724] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.724] CloseHandle (hObject=0x270) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3518 | out: hHeap=0x2680000) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4160 | out: hHeap=0x2680000) returned 1 [0111.725] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.725] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sl-si.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sl-si.htm.nefilim")) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.725] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.725] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12720, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_sr-latn-cs.htm", cAlternateFileName="EULA_S~3.HTM")) returned 1 [0111.725] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2=".") returned 1 [0111.725] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="..") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="...") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="windows") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="rsa") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="NTDETECT.COM") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="ntldr") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="MSDOS.SYS") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="IO.SYS") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="boot.ini") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="ntuser.dat") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="desktop.ini") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="CONFIG.SYS") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="RECYCLER") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="bootmgr") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="programdata") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="appdata") returned 1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="program files") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="program files (x86)") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="microsoft") returned -1 [0111.726] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="sophos") returned -1 [0111.726] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e768 [0111.726] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.726] PathFindExtensionW (pszPath="EULA_sr-latn-cs.htm") returned=".htm" [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.726] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.727] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.727] lstrcmpiW (lpString1="EULA_sr-latn-cs.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.727] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.727] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.728] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=75552) returned 1 [0111.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4388 [0111.728] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.728] SystemFunction036 (in: RandomBuffer=0x29d4388, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4388) returned 1 [0111.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2390 [0111.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0111.728] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2390*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2390*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.728] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.728] GetTickCount () returned 0x115d09b [0111.728] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0111.728] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0111.728] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12720, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.728] SetLastError (dwErrCode=0x0) [0111.728] WriteFile (in: hFile=0x270, lpBuffer=0x29d2390*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2390*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.730] GetLastError () returned 0x0 [0111.730] GetLastError () returned 0x0 [0111.730] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12820, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.730] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.730] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12920, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.730] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d96a3a6, dwHighDateTime=0x1d5f971)) [0111.730] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e6f0 [0111.730] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.730] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.730] GetProcessHeap () returned 0xbc0000 [0111.730] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12720) returned 0xbf2638 [0111.730] GetSystemDefaultLangID () returned 0xbd0409 [0111.730] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.730] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x12720, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x12720, lpOverlapped=0x0) returned 1 [0111.735] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.735] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x12720, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x12720, lpOverlapped=0x0) returned 1 [0111.735] GetProcessHeap () returned 0xbc0000 [0111.735] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.735] CloseHandle (hObject=0x270) returned 1 [0111.735] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2390 | out: hHeap=0x2680000) returned 1 [0111.735] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0111.735] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.735] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4388 | out: hHeap=0x2680000) returned 1 [0111.735] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec90 [0111.735] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sr-latn-cs.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sr-latn-cs.htm.nefilim")) returned 1 [0111.736] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec90 | out: hHeap=0x2680000) returned 1 [0111.736] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.736] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x112f7, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_sv-se.htm", cAlternateFileName="EULA_S~4.HTM")) returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2=".") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="..") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="...") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="windows") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="rsa") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="NTDETECT.COM") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="ntldr") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="MSDOS.SYS") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="IO.SYS") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="boot.ini") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="ntuser.dat") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="desktop.ini") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="CONFIG.SYS") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="RECYCLER") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="bootmgr") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="programdata") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="appdata") returned 1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="program files") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="program files (x86)") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="microsoft") returned -1 [0111.736] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="sophos") returned -1 [0111.737] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.737] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.737] PathFindExtensionW (pszPath="EULA_sv-se.htm") returned=".htm" [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.737] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.737] lstrcmpiW (lpString1="EULA_sv-se.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.737] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.737] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.737] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=70391) returned 1 [0111.737] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.738] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42b0 [0111.738] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.738] SystemFunction036 (in: RandomBuffer=0x29d42b0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42b0) returned 1 [0111.738] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ff0 [0111.738] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0111.738] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ff0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ff0*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.739] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.741] GetTickCount () returned 0x115d0aa [0111.741] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5e8 [0111.741] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5e8 | out: hHeap=0x2680000) returned 1 [0111.741] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x112f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.741] SetLastError (dwErrCode=0x0) [0111.741] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ff0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ff0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.742] GetLastError () returned 0x0 [0111.742] GetLastError () returned 0x0 [0111.742] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x113f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.742] WriteFile (in: hFile=0x270, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.743] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x114f7, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.743] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3d9905b2, dwHighDateTime=0x1d5f971)) [0111.743] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.743] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.743] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.743] GetProcessHeap () returned 0xbc0000 [0111.743] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x112f7) returned 0xbf2638 [0111.743] GetSystemDefaultLangID () returned 0xbd0409 [0111.743] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.743] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x112f7, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x112f7, lpOverlapped=0x0) returned 1 [0111.747] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.747] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x112f7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x112f7, lpOverlapped=0x0) returned 1 [0111.747] GetProcessHeap () returned 0xbc0000 [0111.747] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.747] CloseHandle (hObject=0x270) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ff0 | out: hHeap=0x2680000) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42b0 | out: hHeap=0x2680000) returned 1 [0111.748] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.748] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_sv-se.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_sv-se.htm.nefilim")) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.748] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.748] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5e364e, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5e364e, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x3e0c1, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_th-th.htm", cAlternateFileName="EULA_T~1.HTM")) returned 1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2=".") returned 1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="..") returned 1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="...") returned 1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="windows") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="rsa") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="NTDETECT.COM") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="ntldr") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="MSDOS.SYS") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="IO.SYS") returned -1 [0111.748] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="boot.ini") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="ntuser.dat") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="desktop.ini") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="CONFIG.SYS") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="RECYCLER") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="bootmgr") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="programdata") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="appdata") returned 1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="program files") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="program files (x86)") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="microsoft") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="sophos") returned -1 [0111.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.749] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.749] PathFindExtensionW (pszPath="EULA_th-th.htm") returned=".htm" [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.749] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.749] lstrcmpiW (lpString1="EULA_th-th.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.749] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.749] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.750] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=254145) returned 1 [0111.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43d0 [0111.750] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.750] SystemFunction036 (in: RandomBuffer=0x29d43d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43d0) returned 1 [0111.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0111.750] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2288 [0111.750] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.750] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2288*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2288*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.752] GetTickCount () returned 0x115d0aa [0111.752] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0111.752] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0111.752] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e0c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.752] SetLastError (dwErrCode=0x0) [0111.752] WriteFile (in: hFile=0x270, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.800] GetLastError () returned 0x0 [0111.800] GetLastError () returned 0x0 [0111.800] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e1c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.800] WriteFile (in: hFile=0x270, lpBuffer=0x29d2288*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2288*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.800] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x3e2c1, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.800] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3da03016, dwHighDateTime=0x1d5f971)) [0111.800] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.800] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.800] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.800] GetProcessHeap () returned 0xbc0000 [0111.800] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x3e0c1) returned 0xbf2638 [0111.802] GetSystemDefaultLangID () returned 0xbd0409 [0111.802] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.802] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x3e0c1, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x3e0c1, lpOverlapped=0x0) returned 1 [0111.818] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.818] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x3e0c1, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x3e0c1, lpOverlapped=0x0) returned 1 [0111.819] GetProcessHeap () returned 0xbc0000 [0111.819] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.819] CloseHandle (hObject=0x270) returned 1 [0111.819] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0111.819] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2288 | out: hHeap=0x2680000) returned 1 [0111.819] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.819] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43d0 | out: hHeap=0x2680000) returned 1 [0111.819] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.819] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_th-th.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_th-th.htm.nefilim")) returned 1 [0111.820] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.820] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.820] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x12581, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_tr-tr.htm", cAlternateFileName="EULA_T~2.HTM")) returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2=".") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="..") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="...") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="windows") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="rsa") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="NTDETECT.COM") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="ntldr") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="MSDOS.SYS") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="IO.SYS") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="boot.ini") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="ntuser.dat") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="desktop.ini") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="CONFIG.SYS") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="RECYCLER") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="bootmgr") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="programdata") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="appdata") returned 1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="program files") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="program files (x86)") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="microsoft") returned -1 [0111.820] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="sophos") returned -1 [0111.820] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.820] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.821] PathFindExtensionW (pszPath="EULA_tr-tr.htm") returned=".htm" [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.821] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.821] lstrcmpiW (lpString1="EULA_tr-tr.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.821] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.821] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.821] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=75137) returned 1 [0111.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4238 [0111.822] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.822] SystemFunction036 (in: RandomBuffer=0x29d4238, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4238) returned 1 [0111.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3a40 [0111.822] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0111.822] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3a40*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.824] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.825] GetTickCount () returned 0x115d0f8 [0111.825] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3b8 [0111.825] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3b8 | out: hHeap=0x2680000) returned 1 [0111.825] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12581, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.825] SetLastError (dwErrCode=0x0) [0111.825] WriteFile (in: hFile=0x270, lpBuffer=0x29d3a40*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3a40*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.827] GetLastError () returned 0x0 [0111.827] GetLastError () returned 0x0 [0111.827] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12681, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.827] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.827] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x12781, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.827] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3da4f41e, dwHighDateTime=0x1d5f971)) [0111.827] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.827] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.827] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.827] GetProcessHeap () returned 0xbc0000 [0111.827] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x12581) returned 0xbf2638 [0111.827] GetSystemDefaultLangID () returned 0xbd0409 [0111.827] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.827] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x12581, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x12581, lpOverlapped=0x0) returned 1 [0111.832] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.832] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x12581, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x12581, lpOverlapped=0x0) returned 1 [0111.832] GetProcessHeap () returned 0xbc0000 [0111.832] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.832] CloseHandle (hObject=0x270) returned 1 [0111.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3a40 | out: hHeap=0x2680000) returned 1 [0111.832] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0111.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4238 | out: hHeap=0x2680000) returned 1 [0111.833] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.833] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_tr-tr.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_tr-tr.htm.nefilim")) returned 1 [0111.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.833] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.833] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x411eb, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_uk-ua.htm", cAlternateFileName="EULA_U~1.HTM")) returned 1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2=".") returned 1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="..") returned 1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="...") returned 1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="windows") returned -1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="rsa") returned -1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="NTDETECT.COM") returned -1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="ntldr") returned -1 [0111.833] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="MSDOS.SYS") returned -1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="IO.SYS") returned -1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="boot.ini") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="ntuser.dat") returned -1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="desktop.ini") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="CONFIG.SYS") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="RECYCLER") returned -1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="bootmgr") returned 1 [0111.834] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="programdata") returned -1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="appdata") returned 1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="program files") returned -1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="program files (x86)") returned -1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="microsoft") returned -1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="sophos") returned -1 [0111.902] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.902] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.902] PathFindExtensionW (pszPath="EULA_uk-ua.htm") returned=".htm" [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.902] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.902] lstrcmpiW (lpString1="EULA_uk-ua.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.902] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.902] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.903] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=266731) returned 1 [0111.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42e0 [0111.904] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.904] SystemFunction036 (in: RandomBuffer=0x29d42e0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42e0) returned 1 [0111.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0111.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0111.904] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.904] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.904] GetTickCount () returned 0x115d146 [0111.904] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e508 [0111.904] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e508 | out: hHeap=0x2680000) returned 1 [0111.904] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x411eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.904] SetLastError (dwErrCode=0x0) [0111.904] WriteFile (in: hFile=0x270, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.906] GetLastError () returned 0x0 [0111.906] GetLastError () returned 0x0 [0111.906] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x412eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.906] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.906] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x413eb, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.906] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3db0df44, dwHighDateTime=0x1d5f971)) [0111.906] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.906] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.906] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.906] GetProcessHeap () returned 0xbc0000 [0111.906] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x411eb) returned 0xbf2638 [0111.907] GetSystemDefaultLangID () returned 0xbd0409 [0111.907] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.907] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x411eb, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x411eb, lpOverlapped=0x0) returned 1 [0111.922] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.922] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x411eb, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x411eb, lpOverlapped=0x0) returned 1 [0111.923] GetProcessHeap () returned 0xbc0000 [0111.923] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.923] CloseHandle (hObject=0x270) returned 1 [0111.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0111.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0111.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.923] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42e0 | out: hHeap=0x2680000) returned 1 [0111.923] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.923] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_uk-ua.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_uk-ua.htm.nefilim")) returned 1 [0111.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.924] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.924] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5ed27d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5ed27d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed21, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_zh-cn.htm", cAlternateFileName="EULA_Z~1.HTM")) returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2=".") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="..") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="...") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="windows") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="rsa") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="NTDETECT.COM") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="ntldr") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="MSDOS.SYS") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="IO.SYS") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="boot.ini") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="ntuser.dat") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="desktop.ini") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="CONFIG.SYS") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="RECYCLER") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="bootmgr") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="programdata") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="appdata") returned 1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="program files") returned -1 [0111.924] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="program files (x86)") returned -1 [0111.925] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="microsoft") returned -1 [0111.925] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="sophos") returned -1 [0111.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.925] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.925] PathFindExtensionW (pszPath="EULA_zh-cn.htm") returned=".htm" [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.925] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.925] lstrcmpiW (lpString1="EULA_zh-cn.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.925] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.925] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.926] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=126241) returned 1 [0111.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4370 [0111.926] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.926] SystemFunction036 (in: RandomBuffer=0x29d4370, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4370) returned 1 [0111.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3d58 [0111.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0111.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3d58*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d3d58*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.926] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.926] GetTickCount () returned 0x115d156 [0111.926] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e498 [0111.926] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e498 | out: hHeap=0x2680000) returned 1 [0111.926] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1ed21, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.927] SetLastError (dwErrCode=0x0) [0111.927] WriteFile (in: hFile=0x270, lpBuffer=0x29d3d58*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3d58*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.928] GetLastError () returned 0x0 [0111.928] GetLastError () returned 0x0 [0111.928] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1ee21, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.928] WriteFile (in: hFile=0x270, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.928] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x1ef21, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.928] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3db5a22f, dwHighDateTime=0x1d5f971)) [0111.928] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.928] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.928] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.929] GetProcessHeap () returned 0xbc0000 [0111.929] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1ed21) returned 0xbf2638 [0111.929] GetSystemDefaultLangID () returned 0xbd0409 [0111.929] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.929] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x1ed21, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x1ed21, lpOverlapped=0x0) returned 1 [0111.936] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.936] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x1ed21, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x1ed21, lpOverlapped=0x0) returned 1 [0111.937] GetProcessHeap () returned 0xbc0000 [0111.937] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.937] CloseHandle (hObject=0x270) returned 1 [0111.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3d58 | out: hHeap=0x2680000) returned 1 [0111.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0111.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.937] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4370 | out: hHeap=0x2680000) returned 1 [0111.937] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.937] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-cn.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-cn.htm.nefilim")) returned 1 [0111.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.938] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_zh-hk.htm", cAlternateFileName="EULA_Z~2.HTM")) returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2=".") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="..") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="...") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="windows") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="rsa") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="NTDETECT.COM") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="ntldr") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="MSDOS.SYS") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="IO.SYS") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="boot.ini") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="ntuser.dat") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="desktop.ini") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="CONFIG.SYS") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="RECYCLER") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="bootmgr") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="programdata") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="appdata") returned 1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="program files") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="program files (x86)") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="microsoft") returned -1 [0111.938] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="sophos") returned -1 [0111.938] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0111.938] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.939] PathFindExtensionW (pszPath="EULA_zh-hk.htm") returned=".htm" [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.939] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.939] lstrcmpiW (lpString1="EULA_zh-hk.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.939] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0111.939] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=147140) returned 1 [0111.939] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0111.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4280 [0111.940] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0111.940] SystemFunction036 (in: RandomBuffer=0x29d4280, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4280) returned 1 [0111.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0111.940] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0111.940] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25be798*=0x100) returned 1 [0111.942] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25be794*=0x100) returned 1 [0111.943] GetTickCount () returned 0x115d166 [0111.943] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0111.943] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0111.943] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x23ec4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.984] SetLastError (dwErrCode=0x0) [0111.984] WriteFile (in: hFile=0x270, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.986] GetLastError () returned 0x0 [0111.986] GetLastError () returned 0x0 [0111.986] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x23fc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.986] WriteFile (in: hFile=0x270, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0111.986] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x240c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.986] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3dbccb31, dwHighDateTime=0x1d5f971)) [0111.986] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0111.986] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.986] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0111.987] GetProcessHeap () returned 0xbc0000 [0111.987] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x23ec4) returned 0xbf2638 [0111.987] GetSystemDefaultLangID () returned 0xbd0409 [0111.987] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.987] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x23ec4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x23ec4, lpOverlapped=0x0) returned 1 [0111.997] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0111.997] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x23ec4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x23ec4, lpOverlapped=0x0) returned 1 [0111.997] GetProcessHeap () returned 0xbc0000 [0111.997] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0111.997] CloseHandle (hObject=0x270) returned 1 [0111.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0111.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0111.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0111.997] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4280 | out: hHeap=0x2680000) returned 1 [0111.997] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0111.998] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-hk.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-hk.htm.nefilim")) returned 1 [0111.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0111.998] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0111.998] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2=".") returned 1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="..") returned 1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="...") returned 1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="windows") returned -1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="$RECYCLE.BIN") returned 1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="rsa") returned -1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="NTDETECT.COM") returned -1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="ntldr") returned -1 [0111.998] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="MSDOS.SYS") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="IO.SYS") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="boot.ini") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="AUTOEXEC.BAT") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="ntuser.dat") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="desktop.ini") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="CONFIG.SYS") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="RECYCLER") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="BOOTSECT.BAK") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="bootmgr") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="programdata") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="appdata") returned 1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="program files") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="program files (x86)") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="microsoft") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="sophos") returned -1 [0111.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e6f0 [0111.999] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0111.999] PathFindExtensionW (pszPath="EULA_zh-tw.htm") returned=".htm" [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".exe") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".log") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".cab") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".cmd") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".com") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".cpl") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".ini") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".dll") returned 1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".url") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".ttf") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".mp3") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".pif") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".mp4") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".NEFILIM") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".msi") returned -1 [0111.999] lstrcmpiW (lpString1=".htm", lpString2=".lnk") returned -1 [0111.999] lstrcmpiW (lpString1="EULA_zh-tw.htm", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0111.999] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e768 [0112.000] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x270 [0112.000] GetFileSizeEx (in: hFile=0x270, lpFileSize=0x25be7d8 | out: lpFileSize=0x25be7d8*=147140) returned 1 [0112.000] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.000] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42e0 [0112.000] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.000] SystemFunction036 (in: RandomBuffer=0x29d42e0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42e0) returned 1 [0112.000] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0112.000] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0112.000] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25be798*=0x100) returned 1 [0112.000] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25be794*=0x100) returned 1 [0112.002] GetTickCount () returned 0x115d1a4 [0112.002] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e310 [0112.002] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e310 | out: hHeap=0x2680000) returned 1 [0112.002] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x23ec4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.002] SetLastError (dwErrCode=0x0) [0112.002] WriteFile (in: hFile=0x270, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0112.006] GetLastError () returned 0x0 [0112.006] GetLastError () returned 0x0 [0112.006] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x23fc4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.006] WriteFile (in: hFile=0x270, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25be7f0*=0x100, lpOverlapped=0x0) returned 1 [0112.006] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x240c4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.006] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be7ac | out: lpSystemTimeAsFileTime=0x25be7ac*(dwLowDateTime=0x3dc18d2d, dwHighDateTime=0x1d5f971)) [0112.006] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268ec08 [0112.006] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.006] WriteFile (in: hFile=0x270, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be7f0*=0x7, lpOverlapped=0x0) returned 1 [0112.006] GetProcessHeap () returned 0xbc0000 [0112.006] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x23ec4) returned 0xbf2638 [0112.007] GetSystemDefaultLangID () returned 0xbd0409 [0112.007] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.007] ReadFile (in: hFile=0x270, lpBuffer=0xbf2638, nNumberOfBytesToRead=0x23ec4, lpNumberOfBytesRead=0x25be7fc, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesRead=0x25be7fc*=0x23ec4, lpOverlapped=0x0) returned 1 [0112.016] SetFilePointerEx (in: hFile=0x270, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.016] WriteFile (in: hFile=0x270, lpBuffer=0xbf2638*, nNumberOfBytesToWrite=0x23ec4, lpNumberOfBytesWritten=0x25be7f0, lpOverlapped=0x0 | out: lpBuffer=0xbf2638*, lpNumberOfBytesWritten=0x25be7f0*=0x23ec4, lpOverlapped=0x0) returned 1 [0112.017] GetProcessHeap () returned 0xbc0000 [0112.017] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf2638 | out: hHeap=0xbc0000) returned 1 [0112.017] CloseHandle (hObject=0x270) returned 1 [0112.017] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0112.017] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0112.017] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.017] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42e0 | out: hHeap=0x2680000) returned 1 [0112.017] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ec08 [0112.017] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\EULA\\EULA_zh-tw.htm.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula\\eula_zh-tw.htm.nefilim")) returned 1 [0112.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e768 | out: hHeap=0x2680000) returned 1 [0112.018] FindNextFileW (in: hFindFile=0xbe2748, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x23ec4, dwReserved0=0x268be08, dwReserved1=0x3000000, cFileName="EULA_zh-tw.htm", cAlternateFileName="EULA_Z~3.HTM")) returned 0 [0112.018] FindClose (in: hFindFile=0xbe2748 | out: hFindFile=0xbe2748) returned 1 [0112.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0112.018] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.018] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x626300, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x52, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="eula.css", cAlternateFileName="")) returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2=".") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="..") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="...") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="windows") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="$RECYCLE.BIN") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="rsa") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="NTDETECT.COM") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="ntldr") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="MSDOS.SYS") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="IO.SYS") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="boot.ini") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="AUTOEXEC.BAT") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="ntuser.dat") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="desktop.ini") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="CONFIG.SYS") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="RECYCLER") returned -1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="BOOTSECT.BAK") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="bootmgr") returned 1 [0112.018] lstrcmpiW (lpString1="eula.css", lpString2="programdata") returned -1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="appdata") returned 1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="program files") returned -1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="program files (x86)") returned -1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="microsoft") returned -1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="sophos") returned -1 [0112.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0112.019] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0112.019] PathFindExtensionW (pszPath="eula.css") returned=".css" [0112.019] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0112.019] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0112.019] lstrcmpiW (lpString1="eula.css", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.019] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0112.019] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.020] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=82) returned 1 [0112.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d43a0 [0112.020] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.020] SystemFunction036 (in: RandomBuffer=0x29d43a0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d43a0) returned 1 [0112.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0112.020] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0112.020] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.021] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.021] GetTickCount () returned 0x115d1b4 [0112.021] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0112.021] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0112.021] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x52, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.021] SetLastError (dwErrCode=0x0) [0112.021] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.048] GetLastError () returned 0x0 [0112.048] GetLastError () returned 0x0 [0112.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x152, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.048] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x252, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.048] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dc65566, dwHighDateTime=0x1d5f971)) [0112.048] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0112.048] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0112.048] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.048] GetProcessHeap () returned 0xbc0000 [0112.048] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x52) returned 0xbdff58 [0112.048] GetSystemDefaultLangID () returned 0xbd0409 [0112.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.048] ReadFile (in: hFile=0x26c, lpBuffer=0xbdff58, nNumberOfBytesToRead=0x52, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbdff58*, lpNumberOfBytesRead=0x25beb1c*=0x52, lpOverlapped=0x0) returned 1 [0112.048] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.048] WriteFile (in: hFile=0x26c, lpBuffer=0xbdff58*, nNumberOfBytesToWrite=0x52, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbdff58*, lpNumberOfBytesWritten=0x25beb10*=0x52, lpOverlapped=0x0) returned 1 [0112.048] GetProcessHeap () returned 0xbc0000 [0112.048] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbdff58 | out: hHeap=0xbc0000) returned 1 [0112.048] CloseHandle (hObject=0x26c) returned 1 [0112.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0112.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0112.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.049] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d43a0 | out: hHeap=0x2680000) returned 1 [0112.049] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0112.049] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\eula.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\eula.css.nefilim")) returned 1 [0112.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0112.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0112.051] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea5f6eb5, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea5f6eb5, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xef0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="GetStarted.png", cAlternateFileName="GETSTA~1.PNG")) returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2=".") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="..") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="...") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="windows") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="$RECYCLE.BIN") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="rsa") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="NTDETECT.COM") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="ntldr") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="MSDOS.SYS") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="IO.SYS") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="boot.ini") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="ntuser.dat") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="desktop.ini") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="CONFIG.SYS") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="RECYCLER") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="BOOTSECT.BAK") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="bootmgr") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="programdata") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="appdata") returned 1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="program files") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="program files (x86)") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="microsoft") returned -1 [0112.051] lstrcmpiW (lpString1="GetStarted.png", lpString2="sophos") returned -1 [0112.051] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bdf8 [0112.051] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.051] PathFindExtensionW (pszPath="GetStarted.png") returned=".png" [0112.051] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.051] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.051] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.051] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.052] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.052] lstrcmpiW (lpString1="GetStarted.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268bd90 [0112.052] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.052] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=3824) returned 1 [0112.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.052] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4100 [0112.053] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.053] SystemFunction036 (in: RandomBuffer=0x29d4100, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4100) returned 1 [0112.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3200 [0112.053] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d30f8 [0112.053] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3200*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3200*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.053] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d30f8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d30f8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.054] GetTickCount () returned 0x115d1e3 [0112.054] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3f0 [0112.054] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f0 | out: hHeap=0x2680000) returned 1 [0112.054] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xef0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.054] SetLastError (dwErrCode=0x0) [0112.054] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3200*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.055] GetLastError () returned 0x0 [0112.055] GetLastError () returned 0x0 [0112.055] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xff0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.055] WriteFile (in: hFile=0x26c, lpBuffer=0x29d30f8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d30f8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.056] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10f0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.056] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dc8b52c, dwHighDateTime=0x1d5f971)) [0112.056] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be60 [0112.056] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0112.056] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.056] GetProcessHeap () returned 0xbc0000 [0112.056] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xef0) returned 0xbf1630 [0112.056] GetSystemDefaultLangID () returned 0xbd0409 [0112.056] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.056] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xef0, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xef0, lpOverlapped=0x0) returned 1 [0112.056] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.056] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xef0, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xef0, lpOverlapped=0x0) returned 1 [0112.056] GetProcessHeap () returned 0xbc0000 [0112.056] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0112.057] CloseHandle (hObject=0x26c) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3200 | out: hHeap=0x2680000) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d30f8 | out: hHeap=0x2680000) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4100 | out: hHeap=0x2680000) returned 1 [0112.057] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be60 [0112.057] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStarted.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstarted.png.nefilim")) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be60 | out: hHeap=0x2680000) returned 1 [0112.057] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.057] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xfe3, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="GetStartedHoverOver.png", cAlternateFileName="GETSTA~2.PNG")) returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2=".") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="..") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="...") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="windows") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="$RECYCLE.BIN") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="rsa") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="NTDETECT.COM") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="ntldr") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="MSDOS.SYS") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="IO.SYS") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="boot.ini") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="ntuser.dat") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="desktop.ini") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="CONFIG.SYS") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="RECYCLER") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="BOOTSECT.BAK") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="bootmgr") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="programdata") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="appdata") returned 1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="program files") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="program files (x86)") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="microsoft") returned -1 [0112.058] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="sophos") returned -1 [0112.058] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0112.058] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bdf8 | out: hHeap=0x2680000) returned 1 [0112.058] PathFindExtensionW (pszPath="GetStartedHoverOver.png") returned=".png" [0112.058] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.058] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.058] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.058] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.058] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.059] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.059] lstrcmpiW (lpString1="GetStartedHoverOver.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e778 [0112.059] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.059] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=4067) returned 1 [0112.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4148 [0112.059] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.059] SystemFunction036 (in: RandomBuffer=0x29d4148, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4148) returned 1 [0112.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0112.059] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0112.060] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.061] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.063] GetTickCount () returned 0x115d1e3 [0112.063] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0112.063] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0112.063] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xfe3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.063] SetLastError (dwErrCode=0x0) [0112.063] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.064] GetLastError () returned 0x0 [0112.064] GetLastError () returned 0x0 [0112.064] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x10e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.064] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.065] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x11e3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.065] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dc8b52c, dwHighDateTime=0x1d5f971)) [0112.065] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.065] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.065] GetProcessHeap () returned 0xbc0000 [0112.065] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xfe3) returned 0xbf1630 [0112.065] GetSystemDefaultLangID () returned 0xbd0409 [0112.065] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.065] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xfe3, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xfe3, lpOverlapped=0x0) returned 1 [0112.065] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.065] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xfe3, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xfe3, lpOverlapped=0x0) returned 1 [0112.065] GetProcessHeap () returned 0xbc0000 [0112.065] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0112.065] CloseHandle (hObject=0x26c) returned 1 [0112.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0112.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0112.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.065] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4148 | out: hHeap=0x2680000) returned 1 [0112.066] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0112.066] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\GetStartedHoverOver.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\getstartedhoverover.png.nefilim")) returned 1 [0112.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.066] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e778 | out: hHeap=0x2680000) returned 1 [0112.066] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x43f3, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="loading.gif", cAlternateFileName="")) returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2=".") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="..") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="...") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="windows") returned -1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="$RECYCLE.BIN") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="rsa") returned -1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="NTDETECT.COM") returned -1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="ntldr") returned -1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="MSDOS.SYS") returned -1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="IO.SYS") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="boot.ini") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="AUTOEXEC.BAT") returned 1 [0112.066] lstrcmpiW (lpString1="loading.gif", lpString2="ntuser.dat") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="desktop.ini") returned 1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="CONFIG.SYS") returned 1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="RECYCLER") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="BOOTSECT.BAK") returned 1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="bootmgr") returned 1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="programdata") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="appdata") returned 1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="program files") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="program files (x86)") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="microsoft") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="sophos") returned -1 [0112.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e778 [0112.067] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.067] PathFindExtensionW (pszPath="loading.gif") returned=".gif" [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".exe") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".log") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".cab") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".cmd") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".com") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".cpl") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".ini") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".dll") returned 1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".url") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".ttf") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".mp3") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".pif") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".mp4") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".NEFILIM") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".msi") returned -1 [0112.067] lstrcmpiW (lpString1=".gif", lpString2=".lnk") returned -1 [0112.067] lstrcmpiW (lpString1="loading.gif", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.067] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0112.067] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.068] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=17395) returned 1 [0112.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42b0 [0112.068] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.068] SystemFunction036 (in: RandomBuffer=0x29d42b0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42b0) returned 1 [0112.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2180 [0112.068] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0112.068] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2180*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2180*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.068] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.069] GetTickCount () returned 0x115d1f2 [0112.069] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0112.069] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0112.069] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x43f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.069] SetLastError (dwErrCode=0x0) [0112.069] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2180*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2180*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.070] GetLastError () returned 0x0 [0112.070] GetLastError () returned 0x0 [0112.070] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x44f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.070] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.071] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x45f3, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.071] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dcb172a, dwHighDateTime=0x1d5f971)) [0112.071] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.071] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.071] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.071] GetProcessHeap () returned 0xbc0000 [0112.071] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x43f3) returned 0xbf1630 [0112.071] GetSystemDefaultLangID () returned 0xbd0409 [0112.071] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.071] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0x43f3, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0x43f3, lpOverlapped=0x0) returned 1 [0112.072] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.072] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0x43f3, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0x43f3, lpOverlapped=0x0) returned 1 [0112.073] GetProcessHeap () returned 0xbc0000 [0112.073] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0112.073] CloseHandle (hObject=0x26c) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2180 | out: hHeap=0x2680000) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42b0 | out: hHeap=0x2680000) returned 1 [0112.073] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.073] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\loading.gif.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\loading.gif.nefilim")) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.073] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.073] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea600acc, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea600acc, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x749e0600, ftLastWriteTime.dwHighDateTime=0x1d2ea8c, nFileSizeHigh=0x0, nFileSizeLow=0xe5d, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="lock.png", cAlternateFileName="")) returned 1 [0112.073] lstrcmpiW (lpString1="lock.png", lpString2=".") returned 1 [0112.073] lstrcmpiW (lpString1="lock.png", lpString2="..") returned 1 [0112.073] lstrcmpiW (lpString1="lock.png", lpString2="...") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="windows") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="$RECYCLE.BIN") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="rsa") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="NTDETECT.COM") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="ntldr") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="MSDOS.SYS") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="IO.SYS") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="boot.ini") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="ntuser.dat") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="desktop.ini") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="CONFIG.SYS") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="RECYCLER") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="BOOTSECT.BAK") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="bootmgr") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="programdata") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="appdata") returned 1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="program files") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="program files (x86)") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="microsoft") returned -1 [0112.074] lstrcmpiW (lpString1="lock.png", lpString2="sophos") returned -1 [0112.074] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0112.074] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e778 | out: hHeap=0x2680000) returned 1 [0112.074] PathFindExtensionW (pszPath="lock.png") returned=".png" [0112.074] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.074] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.075] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.075] lstrcmpiW (lpString1="lock.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.075] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e758 [0112.075] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.076] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=3677) returned 1 [0112.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4358 [0112.076] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.076] SystemFunction036 (in: RandomBuffer=0x29d4358, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4358) returned 1 [0112.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0112.076] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3410 [0112.076] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.076] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3410*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.077] GetTickCount () returned 0x115d1f2 [0112.077] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e498 [0112.077] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e498 | out: hHeap=0x2680000) returned 1 [0112.078] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xe5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.078] SetLastError (dwErrCode=0x0) [0112.078] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.079] GetLastError () returned 0x0 [0112.079] GetLastError () returned 0x0 [0112.079] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xf5d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.079] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3410*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3410*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.080] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x105d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.080] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dcb172a, dwHighDateTime=0x1d5f971)) [0112.080] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.080] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.080] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.080] GetProcessHeap () returned 0xbc0000 [0112.080] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xe5d) returned 0xbf1630 [0112.081] GetSystemDefaultLangID () returned 0xbd0409 [0112.081] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.081] ReadFile (in: hFile=0x26c, lpBuffer=0xbf1630, nNumberOfBytesToRead=0xe5d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesRead=0x25beb1c*=0xe5d, lpOverlapped=0x0) returned 1 [0112.081] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.081] WriteFile (in: hFile=0x26c, lpBuffer=0xbf1630*, nNumberOfBytesToWrite=0xe5d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbf1630*, lpNumberOfBytesWritten=0x25beb10*=0xe5d, lpOverlapped=0x0) returned 1 [0112.082] GetProcessHeap () returned 0xbc0000 [0112.082] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf1630 | out: hHeap=0xbc0000) returned 1 [0112.082] CloseHandle (hObject=0x26c) returned 1 [0112.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0112.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3410 | out: hHeap=0x2680000) returned 1 [0112.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.082] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4358 | out: hHeap=0x2680000) returned 1 [0112.082] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.082] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\lock.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\lock.png.nefilim")) returned 1 [0112.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.083] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0112.083] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0xa33, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="logo.png", cAlternateFileName="")) returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2=".") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="..") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="...") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="windows") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="$RECYCLE.BIN") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="rsa") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="NTDETECT.COM") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="ntldr") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="MSDOS.SYS") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="IO.SYS") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="boot.ini") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="ntuser.dat") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="desktop.ini") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="CONFIG.SYS") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="RECYCLER") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="BOOTSECT.BAK") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="bootmgr") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="programdata") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="appdata") returned 1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="program files") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="program files (x86)") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="microsoft") returned -1 [0112.083] lstrcmpiW (lpString1="logo.png", lpString2="sophos") returned -1 [0112.084] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e758 [0112.084] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.084] PathFindExtensionW (pszPath="logo.png") returned=".png" [0112.084] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.084] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.100] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.101] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.101] lstrcmpiW (lpString1="logo.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0112.101] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.101] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=2611) returned 1 [0112.101] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40d0 [0112.102] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.102] SystemFunction036 (in: RandomBuffer=0x29d40d0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40d0) returned 1 [0112.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3e60 [0112.102] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3b48 [0112.102] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3e60*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3e60*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.103] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3b48*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.105] GetTickCount () returned 0x115d212 [0112.105] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0112.105] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0112.105] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.105] SetLastError (dwErrCode=0x0) [0112.105] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3e60*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3e60*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.107] GetLastError () returned 0x0 [0112.107] GetLastError () returned 0x0 [0112.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xb33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.107] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3b48*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3b48*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.107] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xc33, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.107] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dcfdc48, dwHighDateTime=0x1d5f971)) [0112.107] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.107] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.107] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.107] GetProcessHeap () returned 0xbc0000 [0112.107] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0xa33) returned 0xbe3f48 [0112.108] GetSystemDefaultLangID () returned 0xbd0409 [0112.108] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.108] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0xa33, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0xa33, lpOverlapped=0x0) returned 1 [0112.108] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.108] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0xa33, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0xa33, lpOverlapped=0x0) returned 1 [0112.108] GetProcessHeap () returned 0xbc0000 [0112.108] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0112.108] CloseHandle (hObject=0x26c) returned 1 [0112.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3e60 | out: hHeap=0x2680000) returned 1 [0112.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3b48 | out: hHeap=0x2680000) returned 1 [0112.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.108] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40d0 | out: hHeap=0x2680000) returned 1 [0112.108] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.108] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\logo.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\logo.png.nefilim")) returned 1 [0112.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.109] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.109] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1ed, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="marketing.png", cAlternateFileName="MARKET~1.PNG")) returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2=".") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="..") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="...") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="windows") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="$RECYCLE.BIN") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="rsa") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="NTDETECT.COM") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="ntldr") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="MSDOS.SYS") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="IO.SYS") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="boot.ini") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="ntuser.dat") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="desktop.ini") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="CONFIG.SYS") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="RECYCLER") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="BOOTSECT.BAK") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="bootmgr") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="programdata") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="appdata") returned 1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="program files") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="program files (x86)") returned -1 [0112.109] lstrcmpiW (lpString1="marketing.png", lpString2="microsoft") returned -1 [0112.110] lstrcmpiW (lpString1="marketing.png", lpString2="sophos") returned -1 [0112.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0112.110] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0112.110] PathFindExtensionW (pszPath="marketing.png") returned=".png" [0112.110] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.110] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.110] lstrcmpiW (lpString1="marketing.png", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.110] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e758 [0112.110] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.111] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=493) returned 1 [0112.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4268 [0112.111] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.111] SystemFunction036 (in: RandomBuffer=0x29d4268, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4268) returned 1 [0112.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d27b0 [0112.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d25a0 [0112.111] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d27b0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d27b0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.111] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d25a0*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d25a0*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.111] GetTickCount () returned 0x115d212 [0112.111] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e498 [0112.111] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e498 | out: hHeap=0x2680000) returned 1 [0112.111] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x1ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.111] SetLastError (dwErrCode=0x0) [0112.111] WriteFile (in: hFile=0x26c, lpBuffer=0x29d27b0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d27b0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.114] GetLastError () returned 0x0 [0112.114] GetLastError () returned 0x0 [0112.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x2ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.114] WriteFile (in: hFile=0x26c, lpBuffer=0x29d25a0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d25a0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x3ed, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.114] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3dcfdc48, dwHighDateTime=0x1d5f971)) [0112.114] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.114] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.114] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.114] GetProcessHeap () returned 0xbc0000 [0112.114] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x1ed) returned 0xbd2520 [0112.114] GetSystemDefaultLangID () returned 0xbd0409 [0112.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.114] ReadFile (in: hFile=0x26c, lpBuffer=0xbd2520, nNumberOfBytesToRead=0x1ed, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbd2520*, lpNumberOfBytesRead=0x25beb1c*=0x1ed, lpOverlapped=0x0) returned 1 [0112.114] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.114] WriteFile (in: hFile=0x26c, lpBuffer=0xbd2520*, nNumberOfBytesToWrite=0x1ed, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbd2520*, lpNumberOfBytesWritten=0x25beb10*=0x1ed, lpOverlapped=0x0) returned 1 [0112.114] GetProcessHeap () returned 0xbc0000 [0112.114] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbd2520 | out: hHeap=0xbc0000) returned 1 [0112.114] CloseHandle (hObject=0x26c) returned 1 [0112.115] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d27b0 | out: hHeap=0x2680000) returned 1 [0112.115] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d25a0 | out: hHeap=0x2680000) returned 1 [0112.115] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.115] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4268 | out: hHeap=0x2680000) returned 1 [0112.115] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.115] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\marketing.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\marketing.png.nefilim")) returned 1 [0112.116] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.116] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0112.116] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea60a72c, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="Microsoft.WinJS", cAlternateFileName="MICROS~1.WIN")) returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2=".") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="..") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="...") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="windows") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="$RECYCLE.BIN") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="rsa") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="NTDETECT.COM") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="ntldr") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="MSDOS.SYS") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="IO.SYS") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="boot.ini") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="AUTOEXEC.BAT") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="ntuser.dat") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="desktop.ini") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="CONFIG.SYS") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="RECYCLER") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="BOOTSECT.BAK") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="bootmgr") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="programdata") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="appdata") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="program files") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="program files (x86)") returned -1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="microsoft") returned 1 [0112.116] lstrcmpiW (lpString1="Microsoft.WinJS", lpString2="sophos") returned -1 [0112.116] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268e758 [0112.116] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.116] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.116] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0112.117] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec08 [0112.117] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\*.*", lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e758, dwReserved1=0x2000000, cFileName=".", cAlternateFileName="")) returned 0xbe29c8 [0112.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.117] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e758, dwReserved1=0x2000000, cFileName="..", cAlternateFileName="")) returned 1 [0112.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.117] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e758, dwReserved1=0x2000000, cFileName="css", cAlternateFileName="")) returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2=".") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="..") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="...") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="windows") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="$RECYCLE.BIN") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="rsa") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="NTDETECT.COM") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="ntldr") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="MSDOS.SYS") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="IO.SYS") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="boot.ini") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="AUTOEXEC.BAT") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="ntuser.dat") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="desktop.ini") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="CONFIG.SYS") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="RECYCLER") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="BOOTSECT.BAK") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="bootmgr") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="programdata") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="appdata") returned 1 [0112.117] lstrcmpiW (lpString1="css", lpString2="program files") returned -1 [0112.117] lstrcmpiW (lpString1="css", lpString2="program files (x86)") returned -1 [0112.118] lstrcmpiW (lpString1="css", lpString2="microsoft") returned -1 [0112.118] lstrcmpiW (lpString1="css", lpString2="sophos") returned -1 [0112.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec80 [0112.118] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec08 [0112.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ecf8 [0112.118] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ed70 [0112.118] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe2388 [0112.118] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.118] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea6143a6, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0112.119] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.119] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.119] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea60a72c, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea60a72c, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x9ff9, dwReserved0=0x0, dwReserved1=0x0, cFileName="oobe-desktop.css", cAlternateFileName="OOBE-D~1.CSS")) returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2=".") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="..") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="...") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="windows") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="$RECYCLE.BIN") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="rsa") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="NTDETECT.COM") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="ntldr") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="MSDOS.SYS") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="IO.SYS") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="boot.ini") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="AUTOEXEC.BAT") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="ntuser.dat") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="desktop.ini") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="CONFIG.SYS") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="RECYCLER") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="BOOTSECT.BAK") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="bootmgr") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="programdata") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="appdata") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="program files") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="program files (x86)") returned -1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="microsoft") returned 1 [0112.119] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="sophos") returned -1 [0112.119] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268edf8 [0112.120] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed70 | out: hHeap=0x2680000) returned 1 [0112.120] PathFindExtensionW (pszPath="oobe-desktop.css") returned=".css" [0112.120] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0112.120] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0112.120] lstrcmpiW (lpString1="oobe-desktop.css", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.120] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ee90 [0112.120] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0112.121] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=40953) returned 1 [0112.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4280 [0112.121] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.121] SystemFunction036 (in: RandomBuffer=0x29d4280, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4280) returned 1 [0112.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3518 [0112.121] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0112.121] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3518*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3518*, pdwDataLen=0x25be478*=0x100) returned 1 [0112.122] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x100) returned 1 [0112.122] GetTickCount () returned 0x115d221 [0112.122] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e3f0 [0112.122] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e3f0 | out: hHeap=0x2680000) returned 1 [0112.122] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x9ff9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.122] SetLastError (dwErrCode=0x0) [0112.122] WriteFile (in: hFile=0x274, lpBuffer=0x29d3518*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3518*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.123] GetLastError () returned 0x0 [0112.124] GetLastError () returned 0x0 [0112.124] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa0f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.124] WriteFile (in: hFile=0x274, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.124] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0xa1f9, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.124] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3dd240f9, dwHighDateTime=0x1d5f971)) [0112.124] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0112.124] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0112.124] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0112.124] GetProcessHeap () returned 0xbc0000 [0112.124] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x9ff9) returned 0xbf3640 [0112.124] GetSystemDefaultLangID () returned 0xbd0409 [0112.124] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.124] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x9ff9, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x9ff9, lpOverlapped=0x0) returned 1 [0112.127] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.127] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x9ff9, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x9ff9, lpOverlapped=0x0) returned 1 [0112.127] GetProcessHeap () returned 0xbc0000 [0112.127] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0112.128] CloseHandle (hObject=0x274) returned 1 [0112.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3518 | out: hHeap=0x2680000) returned 1 [0112.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0112.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.128] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4280 | out: hHeap=0x2680000) returned 1 [0112.128] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ef28 [0112.128] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\oobe-desktop.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\oobe-desktop.css.nefilim")) returned 1 [0112.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef28 | out: hHeap=0x2680000) returned 1 [0112.129] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee90 | out: hHeap=0x2680000) returned 1 [0112.129] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2=".") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="..") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="...") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="windows") returned -1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="$RECYCLE.BIN") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="rsa") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="NTDETECT.COM") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="ntldr") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="MSDOS.SYS") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="IO.SYS") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="boot.ini") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="AUTOEXEC.BAT") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="ntuser.dat") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="desktop.ini") returned 1 [0112.129] lstrcmpiW (lpString1="ui-dark.css", lpString2="CONFIG.SYS") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="RECYCLER") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="BOOTSECT.BAK") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="bootmgr") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="programdata") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="appdata") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="program files") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="program files (x86)") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="microsoft") returned 1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="sophos") returned 1 [0112.130] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ee90 [0112.130] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268edf8 | out: hHeap=0x2680000) returned 1 [0112.130] PathFindExtensionW (pszPath="ui-dark.css") returned=".css" [0112.130] lstrcmpiW (lpString1=".css", lpString2=".exe") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".log") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".cab") returned 1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".cmd") returned 1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".com") returned 1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".cpl") returned 1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".ini") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".dll") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".url") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".ttf") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".mp3") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".pif") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".mp4") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".NEFILIM") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".msi") returned -1 [0112.130] lstrcmpiW (lpString1=".css", lpString2=".lnk") returned -1 [0112.130] lstrcmpiW (lpString1="ui-dark.css", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.130] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ef28 [0112.130] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0112.131] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=269159) returned 1 [0112.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4400 [0112.131] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.131] SystemFunction036 (in: RandomBuffer=0x29d4400, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4400) returned 1 [0112.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2de0 [0112.131] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d26a8 [0112.131] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2de0*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d2de0*, pdwDataLen=0x25be478*=0x100) returned 1 [0112.133] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d26a8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d26a8*, pdwDataLen=0x25be474*=0x100) returned 1 [0112.133] GetTickCount () returned 0x115d231 [0112.133] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e428 [0112.133] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e428 | out: hHeap=0x2680000) returned 1 [0112.133] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41b67, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.133] SetLastError (dwErrCode=0x0) [0112.133] WriteFile (in: hFile=0x274, lpBuffer=0x29d2de0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2de0*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.135] GetLastError () returned 0x0 [0112.135] GetLastError () returned 0x0 [0112.135] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41c67, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.135] WriteFile (in: hFile=0x274, lpBuffer=0x29d26a8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d26a8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.135] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x41d67, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.135] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3dd4a0b4, dwHighDateTime=0x1d5f971)) [0112.135] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0112.135] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0112.135] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0112.135] GetProcessHeap () returned 0xbc0000 [0112.135] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x41b67) returned 0xbf3640 [0112.135] GetSystemDefaultLangID () returned 0xbd0409 [0112.135] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.136] ReadFile (in: hFile=0x274, lpBuffer=0xbf3640, nNumberOfBytesToRead=0x41b67, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesRead=0x25be4dc*=0x41b67, lpOverlapped=0x0) returned 1 [0112.169] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.169] WriteFile (in: hFile=0x274, lpBuffer=0xbf3640*, nNumberOfBytesToWrite=0x41b67, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xbf3640*, lpNumberOfBytesWritten=0x25be4d0*=0x41b67, lpOverlapped=0x0) returned 1 [0112.170] GetProcessHeap () returned 0xbc0000 [0112.170] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbf3640 | out: hHeap=0xbc0000) returned 1 [0112.170] CloseHandle (hObject=0x274) returned 1 [0112.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2de0 | out: hHeap=0x2680000) returned 1 [0112.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d26a8 | out: hHeap=0x2680000) returned 1 [0112.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.170] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4400 | out: hHeap=0x2680000) returned 1 [0112.170] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268ed70 [0112.170] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\css\\ui-dark.css.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\css\\ui-dark.css.nefilim")) returned 1 [0112.171] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed70 | out: hHeap=0x2680000) returned 1 [0112.171] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ef28 | out: hHeap=0x2680000) returned 1 [0112.171] FindNextFileW (in: hFindFile=0xbe2388, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6143a6, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x41b67, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui-dark.css", cAlternateFileName="")) returned 0 [0112.171] FindClose (in: hFindFile=0xbe2388 | out: hFindFile=0xbe2388) returned 1 [0112.178] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee90 | out: hHeap=0x2680000) returned 1 [0112.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ecf8 | out: hHeap=0x2680000) returned 1 [0112.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.179] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e758, dwReserved1=0x2000000, cFileName="js", cAlternateFileName="")) returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2=".") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="..") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="...") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="windows") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="$RECYCLE.BIN") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="rsa") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="NTDETECT.COM") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="ntldr") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="MSDOS.SYS") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="IO.SYS") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="boot.ini") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="AUTOEXEC.BAT") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="ntuser.dat") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="desktop.ini") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="CONFIG.SYS") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="RECYCLER") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="BOOTSECT.BAK") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="bootmgr") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="programdata") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="appdata") returned 1 [0112.179] lstrcmpiW (lpString1="js", lpString2="program files") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="program files (x86)") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="microsoft") returned -1 [0112.179] lstrcmpiW (lpString1="js", lpString2="sophos") returned -1 [0112.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec08 [0112.179] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec80 | out: hHeap=0x2680000) returned 1 [0112.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ec80 [0112.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ecf8 [0112.179] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268ed70 [0112.179] FindFirstFileW (in: lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\*.*", lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0xbe24c8 [0112.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0112.180] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0112.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0112.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0112.180] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x1395c6, dwReserved0=0x0, dwReserved1=0x0, cFileName="base.js", cAlternateFileName="")) returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2=".") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="..") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="...") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="windows") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="$RECYCLE.BIN") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="rsa") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="NTDETECT.COM") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="ntldr") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="MSDOS.SYS") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="IO.SYS") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="boot.ini") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="AUTOEXEC.BAT") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="ntuser.dat") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="desktop.ini") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="CONFIG.SYS") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="RECYCLER") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="BOOTSECT.BAK") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="bootmgr") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="programdata") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="appdata") returned 1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="program files") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="program files (x86)") returned -1 [0112.180] lstrcmpiW (lpString1="base.js", lpString2="microsoft") returned -1 [0112.181] lstrcmpiW (lpString1="base.js", lpString2="sophos") returned -1 [0112.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ede8 [0112.181] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed70 | out: hHeap=0x2680000) returned 1 [0112.181] PathFindExtensionW (pszPath="base.js") returned=".js" [0112.181] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".log") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".cab") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".cmd") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".com") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".cpl") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".ini") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".url") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".ttf") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".mp3") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".pif") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".mp4") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".NEFILIM") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0112.181] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0112.181] lstrcmpiW (lpString1="base.js", lpString2="NEFILIM-DECRYPT.txt") returned -1 [0112.181] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ee70 [0112.181] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0112.182] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=1283526) returned 1 [0112.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4178 [0112.182] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.182] SystemFunction036 (in: RandomBuffer=0x29d4178, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4178) returned 1 [0112.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3830 [0112.182] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0112.183] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3830*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d3830*, pdwDataLen=0x25be478*=0x100) returned 1 [0112.185] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25be474*=0x100) returned 1 [0112.186] GetTickCount () returned 0x115d260 [0112.187] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0112.187] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0112.187] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1395c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.187] SetLastError (dwErrCode=0x0) [0112.187] WriteFile (in: hFile=0x274, lpBuffer=0x29d3830*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d3830*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.190] GetLastError () returned 0x0 [0112.190] GetLastError () returned 0x0 [0112.190] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1396c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.190] WriteFile (in: hFile=0x274, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.190] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x1397c6, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.190] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3ddbc885, dwHighDateTime=0x1d5f971)) [0112.190] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0112.190] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0112.190] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0112.191] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0xa39020 [0112.192] GetCurrentProcess () returned 0xffffffff [0112.192] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.192] ReadFile (in: hFile=0x274, lpBuffer=0xa39020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xa39020*, lpNumberOfBytesRead=0x25be4dc*=0x927c0, lpOverlapped=0x0) returned 1 [0112.302] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.302] WriteFile (in: hFile=0x274, lpBuffer=0xa39020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xa39020*, lpNumberOfBytesWritten=0x25be4d0*=0x927c0, lpOverlapped=0x0) returned 1 [0112.304] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0xa39020 | out: hHeap=0x2680000) returned 1 [0112.307] CloseHandle (hObject=0x274) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3830 | out: hHeap=0x2680000) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4178 | out: hHeap=0x2680000) returned 1 [0112.325] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268eef8 [0112.325] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\base.js.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\base.js.nefilim")) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eef8 | out: hHeap=0x2680000) returned 1 [0112.325] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee70 | out: hHeap=0x2680000) returned 1 [0112.325] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2=".") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="..") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="...") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="windows") returned -1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="$RECYCLE.BIN") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="rsa") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="NTDETECT.COM") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="ntldr") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="MSDOS.SYS") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="IO.SYS") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="boot.ini") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="AUTOEXEC.BAT") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="ntuser.dat") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="desktop.ini") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="CONFIG.SYS") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="RECYCLER") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="BOOTSECT.BAK") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="bootmgr") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="programdata") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="appdata") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="program files") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="program files (x86)") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="microsoft") returned 1 [0112.326] lstrcmpiW (lpString1="ui.js", lpString2="sophos") returned 1 [0112.326] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268ee70 [0112.326] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ede8 | out: hHeap=0x2680000) returned 1 [0112.326] PathFindExtensionW (pszPath="ui.js") returned=".js" [0112.326] lstrcmpiW (lpString1=".js", lpString2=".exe") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".log") returned -1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".cab") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".cmd") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".com") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".cpl") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".ini") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".dll") returned 1 [0112.326] lstrcmpiW (lpString1=".js", lpString2=".url") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".ttf") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".mp3") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".pif") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".mp4") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".NEFILIM") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".msi") returned -1 [0112.327] lstrcmpiW (lpString1=".js", lpString2=".lnk") returned -1 [0112.327] lstrcmpiW (lpString1="ui.js", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268eef8 [0112.327] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x274 [0112.327] GetFileSizeEx (in: hFile=0x274, lpFileSize=0x25be4b8 | out: lpFileSize=0x25be4b8*=3046842) returned 1 [0112.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4358 [0112.327] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.327] SystemFunction036 (in: RandomBuffer=0x29d4358, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4358) returned 1 [0112.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0112.327] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2cd8 [0112.327] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25be478*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25be478*=0x100) returned 1 [0112.328] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2cd8*, pdwDataLen=0x25be474*=0x10, dwBufLen=0x100 | out: pbData=0x29d2cd8*, pdwDataLen=0x25be474*=0x100) returned 1 [0112.328] GetTickCount () returned 0x115d2ec [0112.328] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0112.328] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0112.328] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7dba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.328] SetLastError (dwErrCode=0x0) [0112.328] WriteFile (in: hFile=0x274, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.331] GetLastError () returned 0x0 [0112.331] GetLastError () returned 0x0 [0112.331] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7eba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.331] WriteFile (in: hFile=0x274, lpBuffer=0x29d2cd8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x29d2cd8*, lpNumberOfBytesWritten=0x25be4d0*=0x100, lpOverlapped=0x0) returned 1 [0112.331] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x2e7fba, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.331] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25be48c | out: lpSystemTimeAsFileTime=0x25be48c*(dwLowDateTime=0x3df13e04, dwHighDateTime=0x1d5f971)) [0112.331] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0112.331] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0112.331] WriteFile (in: hFile=0x274, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25be4d0*=0x7, lpOverlapped=0x0) returned 1 [0112.331] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x927c0) returned 0xa3f020 [0112.333] GetCurrentProcess () returned 0xffffffff [0112.333] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.333] ReadFile (in: hFile=0x274, lpBuffer=0xa3f020, nNumberOfBytesToRead=0x927c0, lpNumberOfBytesRead=0x25be4dc, lpOverlapped=0x0 | out: lpBuffer=0xa3f020*, lpNumberOfBytesRead=0x25be4dc*=0x927c0, lpOverlapped=0x0) returned 1 [0112.441] SetFilePointerEx (in: hFile=0x274, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.442] WriteFile (in: hFile=0x274, lpBuffer=0xa3f020*, nNumberOfBytesToWrite=0x927c0, lpNumberOfBytesWritten=0x25be4d0, lpOverlapped=0x0 | out: lpBuffer=0xa3f020*, lpNumberOfBytesWritten=0x25be4d0*=0x927c0, lpOverlapped=0x0) returned 1 [0112.444] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0xa3f020 | out: hHeap=0x2680000) returned 1 [0112.447] CloseHandle (hObject=0x274) returned 1 [0112.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0112.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2cd8 | out: hHeap=0x2680000) returned 1 [0112.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.447] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4358 | out: hHeap=0x2680000) returned 1 [0112.447] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ed70 [0112.447] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\Microsoft.WinJS\\js\\ui.js.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\microsoft.winjs\\js\\ui.js.nefilim")) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ed70 | out: hHeap=0x2680000) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268eef8 | out: hHeap=0x2680000) returned 1 [0112.448] FindNextFileW (in: hFindFile=0xbe24c8, lpFindFileData=0x25be5c8 | out: lpFindFileData=0x25be5c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea61ff59, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x2e7dba, dwReserved0=0x0, dwReserved1=0x0, cFileName="ui.js", cAlternateFileName="")) returned 0 [0112.448] FindClose (in: hFindFile=0xbe24c8 | out: hFindFile=0xbe24c8) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ee70 | out: hHeap=0x2680000) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ecf8 | out: hHeap=0x2680000) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec80 | out: hHeap=0x2680000) returned 1 [0112.448] FindNextFileW (in: hFindFile=0xbe29c8, lpFindFileData=0x25be8e8 | out: lpFindFileData=0x25be8e8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea6143a6, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea61ff59, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea61ff59, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x268e758, dwReserved1=0x2000000, cFileName="js", cAlternateFileName="")) returned 0 [0112.448] FindClose (in: hFindFile=0xbe29c8 | out: hFindFile=0xbe29c8) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0112.448] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.448] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea627c0d, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea627c0d, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x97e0d, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="NetworkIssueFAQ.mht", cAlternateFileName="NETWOR~1.MHT")) returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2=".") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="..") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="...") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="windows") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="$RECYCLE.BIN") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="rsa") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="NTDETECT.COM") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="ntldr") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="MSDOS.SYS") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="IO.SYS") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="boot.ini") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="AUTOEXEC.BAT") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="ntuser.dat") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="desktop.ini") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="CONFIG.SYS") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="RECYCLER") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="BOOTSECT.BAK") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="bootmgr") returned 1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="programdata") returned -1 [0112.448] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="appdata") returned 1 [0112.449] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="program files") returned -1 [0112.449] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="program files (x86)") returned -1 [0112.449] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="microsoft") returned 1 [0112.449] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="sophos") returned -1 [0112.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.449] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e758 | out: hHeap=0x2680000) returned 1 [0112.449] PathFindExtensionW (pszPath="NetworkIssueFAQ.mht") returned=".mht" [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".exe") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".log") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".cab") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".cmd") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".com") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".cpl") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".ini") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".dll") returned 1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".url") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".ttf") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".mp3") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".pif") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".mp4") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".NEFILIM") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".msi") returned -1 [0112.449] lstrcmpiW (lpString1=".mht", lpString2=".lnk") returned 1 [0112.449] lstrcmpiW (lpString1="NetworkIssueFAQ.mht", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.449] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268be08 [0112.449] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.450] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=622093) returned 1 [0112.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42e0 [0112.450] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.450] SystemFunction036 (in: RandomBuffer=0x29d42e0, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42e0) returned 1 [0112.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2bd0 [0112.450] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3308 [0112.450] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2bd0*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2bd0*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.450] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3308*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3308*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.451] GetTickCount () returned 0x115d369 [0112.451] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0112.451] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0112.452] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x97e0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.452] SetLastError (dwErrCode=0x0) [0112.452] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2bd0*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2bd0*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.453] GetLastError () returned 0x0 [0112.453] GetLastError () returned 0x0 [0112.453] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x97f0d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.453] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3308*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3308*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.454] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9800d, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.454] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3e045213, dwHighDateTime=0x1d5f971)) [0112.454] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be80 [0112.454] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be80 | out: hHeap=0x2680000) returned 1 [0112.454] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.454] GetProcessHeap () returned 0xbc0000 [0112.454] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x97e0d) returned 0xa30020 [0112.456] GetSystemDefaultLangID () returned 0xbd0409 [0112.456] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.456] ReadFile (in: hFile=0x26c, lpBuffer=0xa30020, nNumberOfBytesToRead=0x97e0d, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xa30020*, lpNumberOfBytesRead=0x25beb1c*=0x97e0d, lpOverlapped=0x0) returned 1 [0112.537] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.537] WriteFile (in: hFile=0x26c, lpBuffer=0xa30020*, nNumberOfBytesToWrite=0x97e0d, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xa30020*, lpNumberOfBytesWritten=0x25beb10*=0x97e0d, lpOverlapped=0x0) returned 1 [0112.539] GetProcessHeap () returned 0xbc0000 [0112.539] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xa30020 | out: hHeap=0xbc0000) returned 1 [0112.542] CloseHandle (hObject=0x26c) returned 1 [0112.542] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2bd0 | out: hHeap=0x2680000) returned 1 [0112.542] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3308 | out: hHeap=0x2680000) returned 1 [0112.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42e0 | out: hHeap=0x2680000) returned 1 [0112.543] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0112.543] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NetworkIssueFAQ.mht.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\networkissuefaq.mht.nefilim")) returned 1 [0112.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.543] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0112.543] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x875, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="NoNetworkConnection.png", cAlternateFileName="NONETW~1.PNG")) returned 1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2=".") returned 1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="..") returned 1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="...") returned 1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="windows") returned -1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="$RECYCLE.BIN") returned 1 [0112.543] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="rsa") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="NTDETECT.COM") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="ntldr") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="MSDOS.SYS") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="IO.SYS") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="boot.ini") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="ntuser.dat") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="desktop.ini") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="CONFIG.SYS") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="RECYCLER") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="BOOTSECT.BAK") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="bootmgr") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="programdata") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="appdata") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="program files") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="program files (x86)") returned -1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="microsoft") returned 1 [0112.544] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="sophos") returned -1 [0112.544] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268be08 [0112.544] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.544] PathFindExtensionW (pszPath="NoNetworkConnection.png") returned=".png" [0112.544] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.544] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.545] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.545] lstrcmpiW (lpString1="NoNetworkConnection.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x80) returned 0x268e6f0 [0112.545] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.545] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=2165) returned 1 [0112.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d4328 [0112.545] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.545] SystemFunction036 (in: RandomBuffer=0x29d4328, RandomBufferLength=0x10 | out: RandomBuffer=0x29d4328) returned 1 [0112.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0112.545] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0112.545] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.547] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.547] GetTickCount () returned 0x115d3c7 [0112.547] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e690 [0112.547] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e690 | out: hHeap=0x2680000) returned 1 [0112.547] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x875, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.547] SetLastError (dwErrCode=0x0) [0112.547] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.562] GetLastError () returned 0x0 [0112.562] GetLastError () returned 0x0 [0112.562] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x975, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.562] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.562] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xa75, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.562] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3e150081, dwHighDateTime=0x1d5f971)) [0112.562] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268be90 [0112.562] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be90 | out: hHeap=0x2680000) returned 1 [0112.562] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.562] GetProcessHeap () returned 0xbc0000 [0112.562] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x875) returned 0xbe3f48 [0112.562] GetSystemDefaultLangID () returned 0xbd0409 [0112.562] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.562] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x875, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x875, lpOverlapped=0x0) returned 1 [0112.562] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.562] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x875, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x875, lpOverlapped=0x0) returned 1 [0112.563] GetProcessHeap () returned 0xbc0000 [0112.563] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0112.563] CloseHandle (hObject=0x26c) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d4328 | out: hHeap=0x2680000) returned 1 [0112.563] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268ec08 [0112.563] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnection.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnection.png.nefilim")) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268ec08 | out: hHeap=0x2680000) returned 1 [0112.563] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.563] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea631830, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea631830, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x8a4, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="NoNetworkConnectionHoverOver.png", cAlternateFileName="NONETW~2.PNG")) returned 1 [0112.563] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2=".") returned 1 [0112.563] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="..") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="...") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="windows") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="$RECYCLE.BIN") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="rsa") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="NTDETECT.COM") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="ntldr") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="MSDOS.SYS") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="IO.SYS") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="boot.ini") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="ntuser.dat") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="desktop.ini") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="CONFIG.SYS") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="RECYCLER") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="BOOTSECT.BAK") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="bootmgr") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="programdata") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="appdata") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="program files") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="program files (x86)") returned -1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="microsoft") returned 1 [0112.564] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="sophos") returned -1 [0112.564] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268e6f0 [0112.564] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be08 | out: hHeap=0x2680000) returned 1 [0112.564] PathFindExtensionW (pszPath="NoNetworkConnectionHoverOver.png") returned=".png" [0112.564] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.564] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.565] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.565] lstrcmpiW (lpString1="NoNetworkConnectionHoverOver.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.565] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x90) returned 0x268bd90 [0112.565] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.566] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=2212) returned 1 [0112.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d42f8 [0112.566] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.566] SystemFunction036 (in: RandomBuffer=0x29d42f8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d42f8) returned 1 [0112.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2498 [0112.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d2ac8 [0112.566] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2498*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d2498*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.566] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d2ac8*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.566] GetTickCount () returned 0x115d3d7 [0112.566] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e5b0 [0112.566] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e5b0 | out: hHeap=0x2680000) returned 1 [0112.566] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x8a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.567] SetLastError (dwErrCode=0x0) [0112.567] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2498*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2498*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.569] GetLastError () returned 0x0 [0112.569] GetLastError () returned 0x0 [0112.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x9a4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.569] WriteFile (in: hFile=0x26c, lpBuffer=0x29d2ac8*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d2ac8*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0xaa4, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.569] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3e176194, dwHighDateTime=0x1d5f971)) [0112.569] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268e788 [0112.569] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e788 | out: hHeap=0x2680000) returned 1 [0112.569] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.569] GetProcessHeap () returned 0xbc0000 [0112.569] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x8a4) returned 0xbe3f48 [0112.569] GetSystemDefaultLangID () returned 0xbd0409 [0112.569] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.569] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x8a4, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x8a4, lpOverlapped=0x0) returned 1 [0112.570] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.570] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x8a4, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x8a4, lpOverlapped=0x0) returned 1 [0112.570] GetProcessHeap () returned 0xbc0000 [0112.570] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0112.570] CloseHandle (hObject=0x26c) returned 1 [0112.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2498 | out: hHeap=0x2680000) returned 1 [0112.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d2ac8 | out: hHeap=0x2680000) returned 1 [0112.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.570] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d42f8 | out: hHeap=0x2680000) returned 1 [0112.570] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0xa0) returned 0x268be28 [0112.570] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\NoNetworkConnectionHoverOver.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\nonetworkconnectionhoverover.png.nefilim")) returned 1 [0112.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268be28 | out: hHeap=0x2680000) returned 1 [0112.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.571] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="pass.png", cAlternateFileName="")) returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2=".") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="..") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="...") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="windows") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="$RECYCLE.BIN") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="rsa") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="NTDETECT.COM") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="ntldr") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="MSDOS.SYS") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="IO.SYS") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="boot.ini") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="AUTOEXEC.BAT") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="ntuser.dat") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="desktop.ini") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="CONFIG.SYS") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="RECYCLER") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="BOOTSECT.BAK") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="bootmgr") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="programdata") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="appdata") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="program files") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="program files (x86)") returned -1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="microsoft") returned 1 [0112.571] lstrcmpiW (lpString1="pass.png", lpString2="sophos") returned -1 [0112.571] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e788 [0112.571] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.572] PathFindExtensionW (pszPath="pass.png") returned=".png" [0112.572] lstrcmpiW (lpString1=".png", lpString2=".exe") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".log") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".cab") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".cmd") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".com") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".cpl") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".ini") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".dll") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".url") returned -1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".ttf") returned -1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".mp3") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".pif") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".mp4") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".NEFILIM") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".msi") returned 1 [0112.572] lstrcmpiW (lpString1=".png", lpString2=".lnk") returned 1 [0112.572] lstrcmpiW (lpString1="pass.png", lpString2="NEFILIM-DECRYPT.txt") returned 1 [0112.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x268e6f0 [0112.572] CreateFileW (lpFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x26c [0112.572] GetFileSizeEx (in: hFile=0x26c, lpFileSize=0x25beaf8 | out: lpFileSize=0x25beaf8*=1822) returned 1 [0112.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x268e228 [0112.572] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x10) returned 0x29d40e8 [0112.573] SystemFunction036 (in: RandomBuffer=0x268e228, RandomBufferLength=0x10 | out: RandomBuffer=0x268e228) returned 1 [0112.573] SystemFunction036 (in: RandomBuffer=0x29d40e8, RandomBufferLength=0x10 | out: RandomBuffer=0x29d40e8) returned 1 [0112.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3c50 [0112.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x100) returned 0x29d3200 [0112.573] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3c50*, pdwDataLen=0x25beab8*=0x10, dwBufLen=0x100 | out: pbData=0x29d3c50*, pdwDataLen=0x25beab8*=0x100) returned 1 [0112.573] CryptEncrypt (in: hKey=0xbe2508, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x29d3200*, pdwDataLen=0x25beab4*=0x10, dwBufLen=0x100 | out: pbData=0x29d3200*, pdwDataLen=0x25beab4*=0x100) returned 1 [0112.573] GetTickCount () returned 0x115d3e6 [0112.573] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x30) returned 0x268e4d0 [0112.573] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e4d0 | out: hHeap=0x2680000) returned 1 [0112.573] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x71e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.574] SetLastError (dwErrCode=0x0) [0112.574] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3c50*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3c50*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.575] GetLastError () returned 0x0 [0112.575] GetLastError () returned 0x0 [0112.575] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x81e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.575] WriteFile (in: hFile=0x26c, lpBuffer=0x29d3200*, nNumberOfBytesToWrite=0x100, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x29d3200*, lpNumberOfBytesWritten=0x25beb10*=0x100, lpOverlapped=0x0) returned 1 [0112.575] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x91e, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.576] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25beacc | out: lpSystemTimeAsFileTime=0x25beacc*(dwLowDateTime=0x3e176194, dwHighDateTime=0x1d5f971)) [0112.576] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x268bd90 [0112.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.576] WriteFile (in: hFile=0x26c, lpBuffer=0x2681fb8*, nNumberOfBytesToWrite=0x7, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0x2681fb8*, lpNumberOfBytesWritten=0x25beb10*=0x7, lpOverlapped=0x0) returned 1 [0112.576] GetProcessHeap () returned 0xbc0000 [0112.576] RtlAllocateHeap (HeapHandle=0xbc0000, Flags=0x0, Size=0x71e) returned 0xbe3f48 [0112.576] GetSystemDefaultLangID () returned 0xbd0409 [0112.576] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.576] ReadFile (in: hFile=0x26c, lpBuffer=0xbe3f48, nNumberOfBytesToRead=0x71e, lpNumberOfBytesRead=0x25beb1c, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesRead=0x25beb1c*=0x71e, lpOverlapped=0x0) returned 1 [0112.576] SetFilePointerEx (in: hFile=0x26c, liDistanceToMove=0x0, lpNewFilePointer=0x0, dwMoveMethod=0x0 | out: lpNewFilePointer=0x0) returned 1 [0112.576] WriteFile (in: hFile=0x26c, lpBuffer=0xbe3f48*, nNumberOfBytesToWrite=0x71e, lpNumberOfBytesWritten=0x25beb10, lpOverlapped=0x0 | out: lpBuffer=0xbe3f48*, lpNumberOfBytesWritten=0x25beb10*=0x71e, lpOverlapped=0x0) returned 1 [0112.576] GetProcessHeap () returned 0xbc0000 [0112.576] HeapFree (in: hHeap=0xbc0000, dwFlags=0x0, lpMem=0xbe3f48 | out: hHeap=0xbc0000) returned 1 [0112.576] CloseHandle (hObject=0x26c) returned 1 [0112.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3c50 | out: hHeap=0x2680000) returned 1 [0112.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d3200 | out: hHeap=0x2680000) returned 1 [0112.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e228 | out: hHeap=0x2680000) returned 1 [0112.576] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x29d40e8 | out: hHeap=0x2680000) returned 1 [0112.576] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x70) returned 0x268bd90 [0112.576] MoveFileW (lpExistingFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png"), lpNewFileName="C:\\Windows10Upgrade\\resources\\ux\\pass.png.NEFILIM" (normalized: "c:\\windows10upgrade\\resources\\ux\\pass.png.nefilim")) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268bd90 | out: hHeap=0x2680000) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e6f0 | out: hHeap=0x2680000) returned 1 [0112.577] FindNextFileW (in: hFindFile=0xbe2888, lpFindFileData=0x25bec08 | out: lpFindFileData=0x25bec08*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63c947, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x1939000, ftLastWriteTime.dwHighDateTime=0x1d2ea8a, nFileSizeHigh=0x0, nFileSizeLow=0x71e, dwReserved0=0x268e6f0, dwReserved1=0x2000000, cFileName="pass.png", cAlternateFileName="")) returned 0 [0112.577] FindClose (in: hFindFile=0xbe2888 | out: hFindFile=0xbe2888) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e788 | out: hHeap=0x2680000) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0112.577] FindNextFileW (in: hFindFile=0xbe2988, lpFindFileData=0x25bef28 | out: lpFindFileData=0x25bef28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea3b3c1b, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63c947, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xea63c947, ftLastWriteTime.dwHighDateTime=0x1d32736, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ux", cAlternateFileName="")) returned 0 [0112.577] FindClose (in: hFindFile=0xbe2988 | out: hFindFile=0xbe2988) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26812c0 | out: hHeap=0x2680000) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0112.577] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0112.577] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea9ef415, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea9ef415, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0x624407ed, ftLastWriteTime.dwHighDateTime=0x1d3273e, nFileSizeHigh=0x0, nFileSizeLow=0x3d14a, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="upgrader_default.log", cAlternateFileName="UPGRAD~1.LOG")) returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2=".") returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="..") returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="...") returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="windows") returned -1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="$RECYCLE.BIN") returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="rsa") returned 1 [0112.577] lstrcmpiW (lpString1="upgrader_default.log", lpString2="NTDETECT.COM") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="ntldr") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="MSDOS.SYS") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="IO.SYS") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="boot.ini") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="AUTOEXEC.BAT") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="ntuser.dat") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="desktop.ini") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="CONFIG.SYS") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="RECYCLER") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="BOOTSECT.BAK") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="bootmgr") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="programdata") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="appdata") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="program files") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="program files (x86)") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="microsoft") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_default.log", lpString2="sophos") returned 1 [0112.578] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681278 [0112.578] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0112.578] PathFindExtensionW (pszPath="upgrader_default.log") returned=".log" [0112.578] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0112.578] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0112.578] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xccdc86a8, ftCreationTime.dwHighDateTime=0x1d32743, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0x32fe02cc, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x5044, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="upgrader_win10.log", cAlternateFileName="UPGRAD~2.LOG")) returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2=".") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="..") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="...") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="windows") returned -1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="$RECYCLE.BIN") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="rsa") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="NTDETECT.COM") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="ntldr") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="MSDOS.SYS") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="IO.SYS") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="boot.ini") returned 1 [0112.578] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="AUTOEXEC.BAT") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="ntuser.dat") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="desktop.ini") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="CONFIG.SYS") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="RECYCLER") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="BOOTSECT.BAK") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="bootmgr") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="programdata") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="appdata") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="program files") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="program files (x86)") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="microsoft") returned 1 [0112.579] lstrcmpiW (lpString1="upgrader_win10.log", lpString2="sophos") returned 1 [0112.579] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0112.579] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0112.579] PathFindExtensionW (pszPath="upgrader_win10.log") returned=".log" [0112.579] lstrcmpiW (lpString1=".log", lpString2=".exe") returned 1 [0112.579] lstrcmpiW (lpString1=".log", lpString2=".log") returned 0 [0112.579] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea63f06a, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea63f06a, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x880c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="wimgapi.dll", cAlternateFileName="")) returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2=".") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="..") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="...") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="windows") returned -1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="$RECYCLE.BIN") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="rsa") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="NTDETECT.COM") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="ntldr") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="MSDOS.SYS") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="IO.SYS") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="boot.ini") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="ntuser.dat") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="desktop.ini") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="CONFIG.SYS") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="RECYCLER") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="BOOTSECT.BAK") returned 1 [0112.579] lstrcmpiW (lpString1="wimgapi.dll", lpString2="bootmgr") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="programdata") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="appdata") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="program files") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="program files (x86)") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="microsoft") returned 1 [0112.580] lstrcmpiW (lpString1="wimgapi.dll", lpString2="sophos") returned 1 [0112.580] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x26814b8 [0112.580] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0112.580] PathFindExtensionW (pszPath="wimgapi.dll") returned=".dll" [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0112.580] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0112.580] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea642af3, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea642af3, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0xdf8c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="windlp.dll", cAlternateFileName="")) returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2=".") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="..") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="...") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="windows") returned -1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="$RECYCLE.BIN") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="rsa") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="NTDETECT.COM") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="ntldr") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="MSDOS.SYS") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="IO.SYS") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="boot.ini") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="AUTOEXEC.BAT") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="ntuser.dat") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="desktop.ini") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="CONFIG.SYS") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="RECYCLER") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="BOOTSECT.BAK") returned 1 [0112.580] lstrcmpiW (lpString1="windlp.dll", lpString2="bootmgr") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="programdata") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="appdata") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="program files") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="program files (x86)") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="microsoft") returned 1 [0112.581] lstrcmpiW (lpString1="windlp.dll", lpString2="sophos") returned 1 [0112.581] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x40) returned 0x2682328 [0112.581] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26814b8 | out: hHeap=0x2680000) returned 1 [0112.581] PathFindExtensionW (pszPath="windlp.dll") returned=".dll" [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".exe") returned -1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".log") returned -1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".cab") returned 1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".cmd") returned 1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".com") returned 1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".cpl") returned 1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".ini") returned -1 [0112.581] lstrcmpiW (lpString1=".dll", lpString2=".dll") returned 0 [0112.581] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64a022, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64a022, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x159ac8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="Windows10UpgraderApp.exe", cAlternateFileName="WINDOW~1.EXE")) returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2=".") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="..") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="...") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="windows") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="$RECYCLE.BIN") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="rsa") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="NTDETECT.COM") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="ntldr") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="MSDOS.SYS") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="IO.SYS") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="boot.ini") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="AUTOEXEC.BAT") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="ntuser.dat") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="desktop.ini") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="CONFIG.SYS") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="RECYCLER") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="BOOTSECT.BAK") returned 1 [0112.581] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="bootmgr") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="programdata") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="appdata") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="program files") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="program files (x86)") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="microsoft") returned 1 [0112.582] lstrcmpiW (lpString1="Windows10UpgraderApp.exe", lpString2="sophos") returned 1 [0112.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x60) returned 0x2681278 [0112.582] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2682328 | out: hHeap=0x2680000) returned 1 [0112.582] PathFindExtensionW (pszPath="Windows10UpgraderApp.exe") returned=".exe" [0112.582] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0112.582] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea64ee41, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea64ee41, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x62c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="WinREBootApp32.exe", cAlternateFileName="WINREB~1.EXE")) returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2=".") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="..") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="...") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="windows") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="$RECYCLE.BIN") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="rsa") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="NTDETECT.COM") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="ntldr") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="MSDOS.SYS") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="IO.SYS") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="boot.ini") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="AUTOEXEC.BAT") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="ntuser.dat") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="desktop.ini") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="CONFIG.SYS") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="RECYCLER") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="BOOTSECT.BAK") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="bootmgr") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="programdata") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="appdata") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="program files") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="program files (x86)") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="microsoft") returned 1 [0112.582] lstrcmpiW (lpString1="WinREBootApp32.exe", lpString2="sophos") returned 1 [0112.582] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x26804b8 [0112.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2681278 | out: hHeap=0x2680000) returned 1 [0112.583] PathFindExtensionW (pszPath="WinREBootApp32.exe") returned=".exe" [0112.583] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0112.583] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2=".") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="..") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="...") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="windows") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="$RECYCLE.BIN") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="rsa") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="NTDETECT.COM") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="ntldr") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="MSDOS.SYS") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="IO.SYS") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="boot.ini") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="AUTOEXEC.BAT") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="ntuser.dat") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="desktop.ini") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="CONFIG.SYS") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="RECYCLER") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="BOOTSECT.BAK") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="bootmgr") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="programdata") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="appdata") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="program files") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="program files (x86)") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="microsoft") returned 1 [0112.583] lstrcmpiW (lpString1="WinREBootApp64.exe", lpString2="sophos") returned 1 [0112.583] RtlAllocateHeap (HeapHandle=0x2680000, Flags=0x0, Size=0x50) returned 0x2680510 [0112.583] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x26804b8 | out: hHeap=0x2680000) returned 1 [0112.583] PathFindExtensionW (pszPath="WinREBootApp64.exe") returned=".exe" [0112.583] lstrcmpiW (lpString1=".exe", lpString2=".exe") returned 0 [0112.583] FindNextFileW (in: hFindFile=0xbe2588, lpFindFileData=0x25bf248 | out: lpFindFileData=0x25bf248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xea6528e0, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xea6528e0, ftLastAccessTime.dwHighDateTime=0x1d32736, ftLastWriteTime.dwLowDateTime=0xfb529700, ftLastWriteTime.dwHighDateTime=0x1d2fc76, nFileSizeHigh=0x0, nFileSizeLow=0x64c8, dwReserved0=0x25bf288, dwReserved1=0x400, cFileName="WinREBootApp64.exe", cAlternateFileName="WINREB~2.EXE")) returned 0 [0112.584] FindClose (in: hFindFile=0xbe2588 | out: hFindFile=0xbe2588) returned 1 [0112.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x2680510 | out: hHeap=0x2680000) returned 1 [0112.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e658 | out: hHeap=0x2680000) returned 1 [0112.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e578 | out: hHeap=0x2680000) returned 1 [0112.584] FindNextFileW (in: hFindFile=0xbe2448, lpFindFileData=0x25bf568 | out: lpFindFileData=0x25bf568*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xea34fa37, ftCreationTime.dwHighDateTime=0x1d32736, ftLastAccessTime.dwLowDateTime=0xccdc86a8, ftLastAccessTime.dwHighDateTime=0x1d32743, ftLastWriteTime.dwLowDateTime=0xccdc86a8, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Windows10Upgrade", cAlternateFileName="WINDOW~1")) returned 0 [0112.584] FindClose (in: hFindFile=0xbe2448 | out: hFindFile=0xbe2448) returned 1 [0112.584] HeapFree (in: hHeap=0x2680000, dwFlags=0x0, lpMem=0x268e620 | out: hHeap=0x2680000) returned 1 Thread: id = 4 os_tid = 0xf94 Thread: id = 5 os_tid = 0xf8c Thread: id = 6 os_tid = 0x7e4 Thread: id = 7 os_tid = 0xd14 Thread: id = 8 os_tid = 0x778 Thread: id = 9 os_tid = 0xd64 Thread: id = 10 os_tid = 0xd44 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4c27d000" os_pid = "0x5b0" os_integrity_level = "0x4000" os_privileges = "0x260814080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k appmodel" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\tiledatamodelsvc" [0xa], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000f8bc" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 11 os_tid = 0x9bc Thread: id = 12 os_tid = 0x7ec Thread: id = 13 os_tid = 0x770 Thread: id = 14 os_tid = 0x7d8 Thread: id = 15 os_tid = 0x698 Thread: id = 16 os_tid = 0x690 Thread: id = 17 os_tid = 0x5fc Thread: id = 18 os_tid = 0x5f8 Thread: id = 19 os_tid = 0x5f4 Thread: id = 20 os_tid = 0x5b4 Process: id = "3" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x203c0000" os_pid = "0xd84" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x11f8" cmd_line = "\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak && del \"C:\\Users\\FD1HVy\\Desktop\\1.exe\" /s /f /q" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 21 os_tid = 0xaac [0122.302] GetModuleHandleA (lpModuleName=0x0) returned 0x1b0000 [0122.302] __set_app_type (_Type=0x1) [0122.302] __p__fmode () returned 0x776f3c14 [0122.302] __p__commode () returned 0x776f49ec [0122.302] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1c6fd0) returned 0x0 [0122.302] __getmainargs (in: _Argc=0x1dd1a4, _Argv=0x1dd1a8, _Env=0x1dd1ac, _DoWildCard=0, _StartInfo=0x1dd1b8 | out: _Argc=0x1dd1a4, _Argv=0x1dd1a8, _Env=0x1dd1ac) returned 0 [0122.302] _onexit (_Func=0x1c8030) returned 0x1c8030 [0122.303] _onexit (_Func=0x1c8040) returned 0x1c8040 [0122.303] _onexit (_Func=0x1c8050) returned 0x1c8050 [0122.303] _onexit (_Func=0x1c8060) returned 0x1c8060 [0122.303] _onexit (_Func=0x1c8070) returned 0x1c8070 [0122.306] _onexit (_Func=0x1c8080) returned 0x1c8080 [0122.306] GetCurrentThreadId () returned 0xaac [0122.306] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xaac) returned 0xbc [0122.306] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0122.306] GetProcAddress (hModule=0x772d0000, lpProcName="SetThreadUILanguage") returned 0x772e4f70 [0122.306] SetThreadUILanguage (LangId=0x0) returned 0x24c0409 [0122.315] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.315] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26ffc04 | out: phkResult=0x26ffc04*=0x0) returned 0x2 [0122.316] VirtualQuery (in: lpAddress=0x26ffc0f, lpBuffer=0x26ffbbc, dwLength=0x1c | out: lpBuffer=0x26ffbbc*(BaseAddress=0x26ff000, AllocationBase=0x2600000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0122.316] VirtualQuery (in: lpAddress=0x2600000, lpBuffer=0x26ffbbc, dwLength=0x1c | out: lpBuffer=0x26ffbbc*(BaseAddress=0x2600000, AllocationBase=0x2600000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0122.316] VirtualQuery (in: lpAddress=0x2601000, lpBuffer=0x26ffbbc, dwLength=0x1c | out: lpBuffer=0x26ffbbc*(BaseAddress=0x2601000, AllocationBase=0x2600000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0122.316] VirtualQuery (in: lpAddress=0x2603000, lpBuffer=0x26ffbbc, dwLength=0x1c | out: lpBuffer=0x26ffbbc*(BaseAddress=0x2603000, AllocationBase=0x2600000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0122.316] VirtualQuery (in: lpAddress=0x2700000, lpBuffer=0x26ffbbc, dwLength=0x1c | out: lpBuffer=0x26ffbbc*(BaseAddress=0x2700000, AllocationBase=0x2700000, AllocationProtect=0x2, RegionSize=0xc5000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0122.316] GetConsoleOutputCP () returned 0x1b5 [0122.316] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1e3850 | out: lpCPInfo=0x1e3850) returned 1 [0122.317] SetConsoleCtrlHandler (HandlerRoutine=0x1d7260, Add=1) returned 1 [0122.317] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.317] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x1e388c | out: lpMode=0x1e388c) returned 1 [0122.317] _get_osfhandle (_FileHandle=0) returned 0x8c [0122.317] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x1e3888 | out: lpMode=0x1e3888) returned 1 [0122.317] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.317] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x0) returned 1 [0122.318] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.318] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x1e3890 | out: lpMode=0x1e3890) returned 1 [0122.318] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.318] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0122.318] _get_osfhandle (_FileHandle=0) returned 0x8c [0122.318] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x1e3894 | out: lpMode=0x1e3894) returned 1 [0122.318] _get_osfhandle (_FileHandle=0) returned 0x8c [0122.318] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0122.319] GetEnvironmentStringsW () returned 0x28e4c28* [0122.319] GetProcessHeap () returned 0x28e0000 [0122.319] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xaca) returned 0x28e5700 [0122.319] FreeEnvironmentStringsA (penv="A") returned 1 [0122.319] GetProcessHeap () returned 0x28e0000 [0122.319] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x4) returned 0x28e4708 [0122.319] GetEnvironmentStringsW () returned 0x28e4c28* [0122.319] GetProcessHeap () returned 0x28e0000 [0122.319] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xaca) returned 0x28e61d8 [0122.319] FreeEnvironmentStringsA (penv="A") returned 1 [0122.319] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26feb60 | out: phkResult=0x26feb60*=0xcc) returned 0x0 [0122.319] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x0, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.319] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x1, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.319] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x1, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.319] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x0, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x40, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x40, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x40, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.320] RegCloseKey (hKey=0xcc) returned 0x0 [0122.320] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26feb60 | out: phkResult=0x26feb60*=0xcc) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x40, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x1, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x1, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x0, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x9, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x4, lpData=0x26feb6c*=0x9, lpcbData=0x26feb64*=0x4) returned 0x0 [0122.320] RegQueryValueExW (in: hKey=0xcc, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26feb68, lpData=0x26feb6c, lpcbData=0x26feb64*=0x1000 | out: lpType=0x26feb68*=0x0, lpData=0x26feb6c*=0x9, lpcbData=0x26feb64*=0x1000) returned 0x2 [0122.320] RegCloseKey (hKey=0xcc) returned 0x0 [0122.320] time (in: timer=0x0 | out: timer=0x0) returned 0x5e6be50e [0122.320] srand (_Seed=0x5e6be50e) [0122.320] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak && del \"C:\\Users\\FD1HVy\\Desktop\\1.exe\" /s /f /q" [0122.320] malloc (_Size=0x4000) returned 0x2bd21f0 [0122.321] GetCommandLineW () returned="\"C:\\Windows\\System32\\cmd.exe\" /c timeout /t 3 /nobreak && del \"C:\\Users\\FD1HVy\\Desktop\\1.exe\" /s /f /q" [0122.321] malloc (_Size=0xffce) returned 0x29e0048 [0122.321] ??_V@YAXPAX@Z () returned 0x26ffb44 [0122.322] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x29e0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0122.323] malloc (_Size=0xffce) returned 0x29f0020 [0122.323] ??_V@YAXPAX@Z () returned 0x26ff918 [0122.323] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x29f0020, nSize=0x7fe7 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0122.323] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0122.323] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.324] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0122.324] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0122.324] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0122.324] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0122.324] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0122.324] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0122.324] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0122.324] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0122.324] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0122.324] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0122.324] GetProcessHeap () returned 0x28e0000 [0122.324] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e5700) returned 1 [0122.324] GetEnvironmentStringsW () returned 0x28e4c28* [0122.324] GetProcessHeap () returned 0x28e0000 [0122.324] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xae2) returned 0x28e77a0 [0122.324] FreeEnvironmentStringsA (penv="A") returned 1 [0122.324] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer="C:\\WINDOWS\\system32\\cmd.exe") returned 0x1b [0122.324] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0122.324] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0122.324] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0122.325] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0122.325] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0122.325] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0122.325] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0122.325] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0122.325] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0122.325] malloc (_Size=0xffce) returned 0x29ffff8 [0122.325] ??_V@YAXPAX@Z () returned 0x26ff6b0 [0122.325] GetProcessHeap () returned 0x28e0000 [0122.325] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e0ae0 [0122.325] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x29ffff8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0122.326] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x7fe7, lpBuffer=0x29ffff8, lpFilePart=0x26ff6fc | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x26ff6fc*="Desktop") returned 0x17 [0122.326] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0122.326] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x26ff480 | out: lpFindFileData=0x26ff480*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0x475bb883, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x475bb883, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Users", cAlternateFileName="")) returned 0x28e0b20 [0122.326] FindClose (in: hFindFile=0x28e0b20 | out: hFindFile=0x28e0b20) returned 1 [0122.326] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy", lpFindFileData=0x26ff480 | out: lpFindFileData=0x26ff480*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FD1HVy", cAlternateFileName="")) returned 0x28e0b20 [0122.327] FindClose (in: hFindFile=0x28e0b20 | out: hFindFile=0x28e0b20) returned 1 [0122.327] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", lpFindFileData=0x26ff480 | out: lpFindFileData=0x26ff480*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x39114b63, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x39114b63, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Desktop", cAlternateFileName="")) returned 0x28e0b20 [0122.327] FindClose (in: hFindFile=0x28e0b20 | out: hFindFile=0x28e0b20) returned 1 [0122.327] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0122.327] SetCurrentDirectoryW (lpPathName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 1 [0122.327] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\FD1HVy\\Desktop") returned 1 [0122.327] GetProcessHeap () returned 0x28e0000 [0122.327] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e77a0) returned 1 [0122.327] GetEnvironmentStringsW () returned 0x28e4c28* [0122.327] GetProcessHeap () returned 0x28e0000 [0122.327] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb1a) returned 0x28e6cb0 [0122.327] FreeEnvironmentStringsA (penv="=") returned 1 [0122.327] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x29e0048 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0122.327] GetProcessHeap () returned 0x28e0000 [0122.327] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0ae0) returned 1 [0122.327] ??_V@YAXPAX@Z () returned 0x1 [0122.327] ??_V@YAXPAX@Z () returned 0x1 [0122.327] GetProcessHeap () returned 0x28e0000 [0122.327] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x400e) returned 0x28e8db8 [0122.328] GetProcessHeap () returned 0x28e0000 [0122.328] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x98) returned 0x28e77d8 [0122.328] GetProcessHeap () returned 0x28e0000 [0122.328] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8db8) returned 1 [0122.328] GetConsoleOutputCP () returned 0x1b5 [0122.329] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1e3850 | out: lpCPInfo=0x1e3850) returned 1 [0122.329] GetUserDefaultLCID () returned 0x409 [0122.329] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x1df82c, cchData=8 | out: lpLCData=":") returned 2 [0122.329] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26ffa6c, cchData=128 | out: lpLCData="0") returned 2 [0122.329] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26ffa6c, cchData=128 | out: lpLCData="0") returned 2 [0122.329] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26ffa6c, cchData=128 | out: lpLCData="1") returned 2 [0122.329] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x1df81c, cchData=8 | out: lpLCData="/") returned 2 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x1df7b8, cchData=32 | out: lpLCData="Mon") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x1df778, cchData=32 | out: lpLCData="Tue") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x1df738, cchData=32 | out: lpLCData="Wed") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x1df6f8, cchData=32 | out: lpLCData="Thu") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x1df6b8, cchData=32 | out: lpLCData="Fri") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x1df678, cchData=32 | out: lpLCData="Sat") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x1df638, cchData=32 | out: lpLCData="Sun") returned 4 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x1df80c, cchData=8 | out: lpLCData=".") returned 2 [0122.330] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x1df7f8, cchData=8 | out: lpLCData=",") returned 2 [0122.330] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0122.332] GetProcessHeap () returned 0x28e0000 [0122.332] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x0, Size=0x20c) returned 0x28e78c0 [0122.332] GetConsoleTitleW (in: lpConsoleTitle=0x28e78c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0122.332] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x772d0000 [0122.332] GetProcAddress (hModule=0x772d0000, lpProcName="CopyFileExW") returned 0x772e4330 [0122.332] GetProcAddress (hModule=0x772d0000, lpProcName="IsDebuggerPresent") returned 0x772e5930 [0122.332] GetProcAddress (hModule=0x772d0000, lpProcName="SetConsoleInputExeNameW") returned 0x74d009d0 [0122.332] ??_V@YAXPAX@Z () returned 0x1 [0122.333] GetProcessHeap () returned 0x28e0000 [0122.333] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x400a) returned 0x28e8db8 [0122.333] GetProcessHeap () returned 0x28e0000 [0122.333] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8db8) returned 1 [0122.334] _wcsicmp (_String1="timeout", _String2=")") returned 75 [0122.334] _wcsicmp (_String1="FOR", _String2="timeout") returned -14 [0122.334] _wcsicmp (_String1="FOR/?", _String2="timeout") returned -14 [0122.334] _wcsicmp (_String1="IF", _String2="timeout") returned -11 [0122.334] _wcsicmp (_String1="IF/?", _String2="timeout") returned -11 [0122.334] _wcsicmp (_String1="REM", _String2="timeout") returned -2 [0122.334] _wcsicmp (_String1="REM/?", _String2="timeout") returned -2 [0122.334] GetProcessHeap () returned 0x28e0000 [0122.334] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e7ad8 [0122.334] GetProcessHeap () returned 0x28e0000 [0122.334] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x18) returned 0x28e7b38 [0122.334] GetProcessHeap () returned 0x28e0000 [0122.335] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x28) returned 0x28e7b58 [0122.335] GetProcessHeap () returned 0x28e0000 [0122.335] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e7b88 [0122.335] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0122.335] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0122.335] _wcsicmp (_String1="IF", _String2="del") returned 5 [0122.335] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0122.335] _wcsicmp (_String1="REM", _String2="del") returned 14 [0122.335] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0122.335] GetProcessHeap () returned 0x28e0000 [0122.335] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e7be8 [0122.335] GetProcessHeap () returned 0x28e0000 [0122.335] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x10) returned 0x28e7c48 [0122.336] GetProcessHeap () returned 0x28e0000 [0122.336] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x5c) returned 0x28e7c60 [0122.337] GetConsoleTitleW (in: lpConsoleTitle=0x26ff900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0122.337] malloc (_Size=0xffce) returned 0x29f2670 [0122.338] ??_V@YAXPAX@Z () returned 0x26ff68c [0122.338] malloc (_Size=0xffce) returned 0x2a02648 [0122.339] ??_V@YAXPAX@Z () returned 0x26ff444 [0122.339] _wcsicmp (_String1="timeout", _String2="DIR") returned 16 [0122.339] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15 [0122.339] _wcsicmp (_String1="timeout", _String2="DEL") returned 16 [0122.339] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16 [0122.339] _wcsicmp (_String1="timeout", _String2="COPY") returned 17 [0122.339] _wcsicmp (_String1="timeout", _String2="CD") returned 17 [0122.339] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17 [0122.340] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2 [0122.340] _wcsicmp (_String1="timeout", _String2="REN") returned 2 [0122.340] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15 [0122.340] _wcsicmp (_String1="timeout", _String2="SET") returned 1 [0122.340] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4 [0122.340] _wcsicmp (_String1="timeout", _String2="DATE") returned 16 [0122.340] _wcsicmp (_String1="timeout", _String2="TIME") returned 111 [0122.340] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4 [0122.340] _wcsicmp (_String1="timeout", _String2="MD") returned 7 [0122.340] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7 [0122.340] _wcsicmp (_String1="timeout", _String2="RD") returned 2 [0122.340] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2 [0122.340] _wcsicmp (_String1="timeout", _String2="PATH") returned 4 [0122.340] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13 [0122.340] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1 [0122.340] _wcsicmp (_String1="timeout", _String2="CLS") returned 17 [0122.340] _wcsicmp (_String1="timeout", _String2="CALL") returned 17 [0122.340] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2 [0122.340] _wcsicmp (_String1="timeout", _String2="VER") returned -2 [0122.340] _wcsicmp (_String1="timeout", _String2="VOL") returned -2 [0122.340] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15 [0122.340] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1 [0122.340] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15 [0122.340] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7 [0122.340] _wcsicmp (_String1="timeout", _String2="START") returned 1 [0122.340] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16 [0122.340] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9 [0122.340] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7 [0122.340] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4 [0122.340] _wcsicmp (_String1="timeout", _String2="POPD") returned 4 [0122.340] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19 [0122.340] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14 [0122.340] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18 [0122.340] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17 [0122.340] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7 [0122.340] _wcsicmp (_String1="timeout", _String2="DIR") returned 16 [0122.341] _wcsicmp (_String1="timeout", _String2="ERASE") returned 15 [0122.341] _wcsicmp (_String1="timeout", _String2="DEL") returned 16 [0122.341] _wcsicmp (_String1="timeout", _String2="TYPE") returned -16 [0122.341] _wcsicmp (_String1="timeout", _String2="COPY") returned 17 [0122.341] _wcsicmp (_String1="timeout", _String2="CD") returned 17 [0122.341] _wcsicmp (_String1="timeout", _String2="CHDIR") returned 17 [0122.341] _wcsicmp (_String1="timeout", _String2="RENAME") returned 2 [0122.341] _wcsicmp (_String1="timeout", _String2="REN") returned 2 [0122.341] _wcsicmp (_String1="timeout", _String2="ECHO") returned 15 [0122.341] _wcsicmp (_String1="timeout", _String2="SET") returned 1 [0122.341] _wcsicmp (_String1="timeout", _String2="PAUSE") returned 4 [0122.341] _wcsicmp (_String1="timeout", _String2="DATE") returned 16 [0122.341] _wcsicmp (_String1="timeout", _String2="TIME") returned 111 [0122.341] _wcsicmp (_String1="timeout", _String2="PROMPT") returned 4 [0122.341] _wcsicmp (_String1="timeout", _String2="MD") returned 7 [0122.341] _wcsicmp (_String1="timeout", _String2="MKDIR") returned 7 [0122.341] _wcsicmp (_String1="timeout", _String2="RD") returned 2 [0122.341] _wcsicmp (_String1="timeout", _String2="RMDIR") returned 2 [0122.341] _wcsicmp (_String1="timeout", _String2="PATH") returned 4 [0122.341] _wcsicmp (_String1="timeout", _String2="GOTO") returned 13 [0122.341] _wcsicmp (_String1="timeout", _String2="SHIFT") returned 1 [0122.341] _wcsicmp (_String1="timeout", _String2="CLS") returned 17 [0122.341] _wcsicmp (_String1="timeout", _String2="CALL") returned 17 [0122.341] _wcsicmp (_String1="timeout", _String2="VERIFY") returned -2 [0122.341] _wcsicmp (_String1="timeout", _String2="VER") returned -2 [0122.341] _wcsicmp (_String1="timeout", _String2="VOL") returned -2 [0122.341] _wcsicmp (_String1="timeout", _String2="EXIT") returned 15 [0122.341] _wcsicmp (_String1="timeout", _String2="SETLOCAL") returned 1 [0122.341] _wcsicmp (_String1="timeout", _String2="ENDLOCAL") returned 15 [0122.341] _wcsicmp (_String1="timeout", _String2="TITLE") returned -7 [0122.341] _wcsicmp (_String1="timeout", _String2="START") returned 1 [0122.341] _wcsicmp (_String1="timeout", _String2="DPATH") returned 16 [0122.341] _wcsicmp (_String1="timeout", _String2="KEYS") returned 9 [0122.341] _wcsicmp (_String1="timeout", _String2="MOVE") returned 7 [0122.341] _wcsicmp (_String1="timeout", _String2="PUSHD") returned 4 [0122.341] _wcsicmp (_String1="timeout", _String2="POPD") returned 4 [0122.341] _wcsicmp (_String1="timeout", _String2="ASSOC") returned 19 [0122.341] _wcsicmp (_String1="timeout", _String2="FTYPE") returned 14 [0122.342] _wcsicmp (_String1="timeout", _String2="BREAK") returned 18 [0122.342] _wcsicmp (_String1="timeout", _String2="COLOR") returned 17 [0122.342] _wcsicmp (_String1="timeout", _String2="MKLINK") returned 7 [0122.342] _wcsicmp (_String1="timeout", _String2="FOR") returned 14 [0122.342] _wcsicmp (_String1="timeout", _String2="IF") returned 11 [0122.342] _wcsicmp (_String1="timeout", _String2="REM") returned 2 [0122.342] ??_V@YAXPAX@Z () returned 0x1 [0122.342] GetProcessHeap () returned 0x28e0000 [0122.342] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xffd6) returned 0x28e8db8 [0122.343] GetProcessHeap () returned 0x28e0000 [0122.343] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e7cc8 [0122.343] _wcsnicmp (_String1="time", _String2="cmd ", _MaxCount=0x4) returned 17 [0122.343] malloc (_Size=0xffce) returned 0x2a02648 [0122.343] ??_V@YAXPAX@Z () returned 0x26ff1c4 [0122.343] GetProcessHeap () returned 0x28e0000 [0122.343] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x1ffa4) returned 0x28f8d98 [0122.345] SetErrorMode (uMode=0x0) returned 0x0 [0122.345] SetErrorMode (uMode=0x1) returned 0x0 [0122.346] GetFullPathNameW (in: lpFileName=".", nBufferLength=0xffce, lpBuffer=0x28f8da0, lpFilePart=0x26ff1e4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x26ff1e4*="Desktop") returned 0x17 [0122.346] SetErrorMode (uMode=0x0) returned 0x1 [0122.346] GetProcessHeap () returned 0x28e0000 [0122.346] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28f8d98, Size=0x48) returned 0x28f8d98 [0122.346] GetProcessHeap () returned 0x28e0000 [0122.346] RtlSizeHeap (HeapHandle=0x28e0000, Flags=0x0, MemoryPointer=0x28f8d98) returned 0x48 [0122.346] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0122.346] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0122.347] GetProcessHeap () returned 0x28e0000 [0122.347] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x1b4) returned 0x28e7d08 [0122.347] GetProcessHeap () returned 0x28e0000 [0122.347] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x360) returned 0x28e7ec8 [0122.356] GetProcessHeap () returned 0x28e0000 [0122.356] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28e7ec8, Size=0x1b6) returned 0x28e7ec8 [0122.356] GetProcessHeap () returned 0x28e0000 [0122.356] RtlSizeHeap (HeapHandle=0x28e0000, Flags=0x0, MemoryPointer=0x28e7ec8) returned 0x1b6 [0122.356] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1df840, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0122.356] GetProcessHeap () returned 0x28e0000 [0122.356] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xe0) returned 0x28e8088 [0122.357] GetProcessHeap () returned 0x28e0000 [0122.357] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28e8088, Size=0x76) returned 0x28e8088 [0122.357] GetProcessHeap () returned 0x28e0000 [0122.357] RtlSizeHeap (HeapHandle=0x28e0000, Flags=0x0, MemoryPointer=0x28e8088) returned 0x76 [0122.357] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.358] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\timeout.*", fInfoLevelId=0x1, lpFindFileData=0x26fef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26fef70) returned 0xffffffff [0122.358] GetLastError () returned 0x2 [0122.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.358] FindFirstFileExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\timeout.*", fInfoLevelId=0x1, lpFindFileData=0x26fef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26fef70) returned 0xffffffff [0122.358] GetLastError () returned 0x2 [0122.358] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0122.358] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\timeout.*", fInfoLevelId=0x1, lpFindFileData=0x26fef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26fef70) returned 0x28e8108 [0122.359] GetProcessHeap () returned 0x28e0000 [0122.359] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x0, Size=0x14) returned 0x28e8148 [0122.359] FindClose (in: hFindFile=0x28e8108 | out: hFindFile=0x28e8108) returned 1 [0122.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\timeout.COM", fInfoLevelId=0x1, lpFindFileData=0x26fef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26fef70) returned 0xffffffff [0122.359] GetLastError () returned 0x2 [0122.359] FindFirstFileExW (in: lpFileName="C:\\WINDOWS\\system32\\timeout.EXE", fInfoLevelId=0x1, lpFindFileData=0x26fef70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26fef70) returned 0x28e8108 [0122.359] GetProcessHeap () returned 0x28e0000 [0122.359] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28e8148, Size=0x4) returned 0x28e8148 [0122.359] FindClose (in: hFindFile=0x28e8108 | out: hFindFile=0x28e8108) returned 1 [0122.359] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0122.359] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0122.359] ??_V@YAXPAX@Z () returned 0x1 [0122.359] GetConsoleTitleW (in: lpConsoleTitle=0x26ff474, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0122.362] InitializeProcThreadAttributeList (in: lpAttributeList=0x26ff3a0, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26ff38c | out: lpAttributeList=0x26ff3a0, lpSize=0x26ff38c) returned 1 [0122.362] UpdateProcThreadAttribute (in: lpAttributeList=0x26ff3a0, dwFlags=0x0, Attribute=0x60001, lpValue=0x26ff388, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26ff3a0, lpPreviousValue=0x0) returned 1 [0122.362] GetStartupInfoW (in: lpStartupInfo=0x26ff3d8 | out: lpStartupInfo=0x26ff3d8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0122.362] GetProcessHeap () returned 0x28e0000 [0122.362] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x18) returned 0x28e8108 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0122.362] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0122.363] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0122.363] GetProcessHeap () returned 0x28e0000 [0122.363] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8108) returned 1 [0122.363] GetProcessHeap () returned 0x28e0000 [0122.363] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xa) returned 0x28e8108 [0122.363] lstrcmpW (lpString1="\\timeout.exe", lpString2="\\XCOPY.EXE") returned -1 [0122.391] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.391] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0122.406] _get_osfhandle (_FileHandle=0) returned 0x8c [0122.406] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1f7) returned 1 [0122.417] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\system32\\timeout.exe", lpCommandLine="timeout /t 3 /nobreak ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x26ff328*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="timeout /t 3 /nobreak ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26ff374 | out: lpCommandLine="timeout /t 3 /nobreak ", lpProcessInformation=0x26ff374*(hProcess=0xe0, hThread=0xdc, dwProcessId=0xa7c, dwThreadId=0xe00)) returned 1 [0122.531] CloseHandle (hObject=0xdc) returned 1 [0122.531] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0122.531] GetProcessHeap () returned 0x28e0000 [0122.531] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e6cb0) returned 1 [0122.531] GetEnvironmentStringsW () returned 0x28e6cb0* [0122.531] GetProcessHeap () returned 0x28e0000 [0122.532] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb1a) returned 0x28e4c28 [0122.532] FreeEnvironmentStringsA (penv="=") returned 1 [0122.532] WaitForSingleObject (hHandle=0xe0, dwMilliseconds=0xffffffff) returned 0x0 [0125.504] GetExitCodeProcess (in: hProcess=0xe0, lpExitCode=0x26ff30c | out: lpExitCode=0x26ff30c*=0x0) returned 1 [0125.505] CloseHandle (hObject=0xe0) returned 1 [0125.505] _vsnwprintf (in: _Buffer=0x26ff3f4, _BufferCount=0x13, _Format="%08X", _ArgList=0x26ff314 | out: _Buffer="00000000") returned 8 [0125.505] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0125.506] GetProcessHeap () returned 0x28e0000 [0125.506] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e4c28) returned 1 [0125.506] GetEnvironmentStringsW () returned 0x28e4c28* [0125.506] GetProcessHeap () returned 0x28e0000 [0125.506] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb40) returned 0x28f9930 [0125.507] FreeEnvironmentStringsA (penv="=") returned 1 [0125.507] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0125.507] GetProcessHeap () returned 0x28e0000 [0125.507] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28f9930) returned 1 [0125.507] GetEnvironmentStringsW () returned 0x28e4c28* [0125.507] GetProcessHeap () returned 0x28e0000 [0125.507] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb40) returned 0x28f9930 [0125.507] FreeEnvironmentStringsA (penv="=") returned 1 [0125.507] GetProcessHeap () returned 0x28e0000 [0125.507] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8108) returned 1 [0125.507] DeleteProcThreadAttributeList (in: lpAttributeList=0x26ff3a0 | out: lpAttributeList=0x26ff3a0) [0125.507] ??_V@YAXPAX@Z () returned 0x1 [0125.507] GetConsoleTitleW (in: lpConsoleTitle=0x26ff900, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1c [0125.614] malloc (_Size=0xffce) returned 0x29f2670 [0125.614] ??_V@YAXPAX@Z () returned 0x26ff68c [0125.614] malloc (_Size=0xffce) returned 0x2a02648 [0125.614] ??_V@YAXPAX@Z () returned 0x26ff444 [0125.614] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0125.614] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0125.614] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0125.614] ??_V@YAXPAX@Z () returned 0x1 [0125.615] GetProcessHeap () returned 0x28e0000 [0125.615] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb0) returned 0x28e0ae0 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28e0ae0, Size=0x62) returned 0x28e0ae0 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlSizeHeap (HeapHandle=0x28e0000, Flags=0x0, MemoryPointer=0x28e0ae0) returned 0x62 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x64) returned 0x28e0b50 [0125.616] malloc (_Size=0xffce) returned 0x2a02648 [0125.616] ??_V@YAXPAX@Z () returned 0x26ff3d4 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xb0) returned 0x28e0bc0 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlReAllocateHeap (Heap=0x28e0000, Flags=0x0, Ptr=0x28e0bc0, Size=0x62) returned 0x28e0bc0 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlSizeHeap (HeapHandle=0x28e0000, Flags=0x0, MemoryPointer=0x28e0bc0) returned 0x62 [0125.616] GetProcessHeap () returned 0x28e0000 [0125.616] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x44) returned 0x28e0c30 [0125.616] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2a02648 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0125.616] malloc (_Size=0xffd2) returned 0x2a12620 [0125.617] ??_V@YAXPAX@Z () returned 0x26ff18c [0125.617] malloc (_Size=0xffd2) returned 0x2a22600 [0125.617] ??_V@YAXPAX@Z () returned 0x26fed14 [0125.618] malloc (_Size=0xffd2) returned 0x2a325e0 [0125.618] ??_V@YAXPAX@Z () returned 0x26fed14 [0125.619] GetProcessHeap () returned 0x28e0000 [0125.619] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e0c80 [0125.619] malloc (_Size=0xffce) returned 0x2a425c0 [0125.619] ??_V@YAXPAX@Z () returned 0x26fe6ac [0125.620] malloc (_Size=0xffce) returned 0x2a52598 [0125.620] ??_V@YAXPAX@Z () returned 0x26fe6ac [0125.620] malloc (_Size=0xffce) returned 0x2a62570 [0125.621] ??_V@YAXPAX@Z () returned 0x26fe45c [0125.621] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x2a62570 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0125.621] ??_V@YAXPAX@Z () returned 0x1 [0125.621] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26fe6ec, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x2a425c0, nFileSystemNameSize=0x7fe7 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26fe6ec*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0125.623] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0125.623] ??_V@YAXPAX@Z () returned 0x26fe6c4 [0125.623] ??_V@YAXPAX@Z () returned 0x1 [0125.624] ??_V@YAXPAX@Z () returned 0x1 [0125.625] malloc (_Size=0xffce) returned 0x2a425c0 [0125.625] ??_V@YAXPAX@Z () returned 0x26fead4 [0125.626] GetProcessHeap () returned 0x28e0000 [0125.626] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x2c) returned 0x28e0cc0 [0125.626] GetProcessHeap () returned 0x28e0000 [0125.626] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x258) returned 0x28e0ea8 [0125.626] _wcsicmp (_String1="1.exe", _String2=".") returned 3 [0125.626] _wcsicmp (_String1="1.exe", _String2="..") returned 3 [0125.626] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x20 [0125.626] GetProcessHeap () returned 0x28e0000 [0125.626] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0xffd6) returned 0x28fa478 [0125.626] GetCurrentDirectoryW (in: nBufferLength=0x7fe7, lpBuffer=0x28fa480 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0125.626] SetErrorMode (uMode=0x0) returned 0x0 [0125.626] SetErrorMode (uMode=0x1) returned 0x0 [0125.626] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe", nBufferLength=0x7fe7, lpBuffer=0x2a425c0, lpFilePart=0x26feaf4 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop\\1.exe", lpFilePart=0x26feaf4*="1.exe") returned 0x1d [0125.627] SetErrorMode (uMode=0x0) returned 0x1 [0125.627] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0125.627] GetProcessHeap () returned 0x28e0000 [0125.627] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x258) returned 0x28e1108 [0125.627] _wcsicmp (_String1="1.exe", _String2=".") returned 3 [0125.627] _wcsicmp (_String1="1.exe", _String2="..") returned 3 [0125.627] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\1.exe")) returned 0x20 [0125.627] ??_V@YAXPAX@Z () returned 0x1 [0125.627] GetProcessHeap () returned 0x28e0000 [0125.627] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x14) returned 0x28e0cf8 [0125.627] GetProcessHeap () returned 0x28e0000 [0125.627] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e1368 [0125.627] GetProcessHeap () returned 0x28e0000 [0125.627] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e13a8 [0125.627] ??_V@YAXPAX@Z () returned 0x1 [0125.628] ??_V@YAXPAX@Z () returned 0x1 [0125.630] malloc (_Size=0xffd2) returned 0x2a22600 [0125.631] ??_V@YAXPAX@Z () returned 0x26fee4c [0125.632] GetProcessHeap () returned 0x28e0000 [0125.632] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x808) returned 0x28e8290 [0125.632] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\1.exe", fInfoLevelId=0x0, lpFindFileData=0x28e829c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e829c) returned 0x28e13e8 [0125.632] malloc (_Size=0xffd2) returned 0x2a325e0 [0125.632] ??_V@YAXPAX@Z () returned 0x26fe9dc [0125.633] malloc (_Size=0xffd2) returned 0x2a425c0 [0125.633] ??_V@YAXPAX@Z () returned 0x26fe9dc [0125.633] RtlDosPathNameToRelativeNtPathName_U_WithStatus () returned 0x0 [0125.633] NtOpenFile (in: FileHandle=0x26fea04, DesiredAccess=0x10000, ObjectAttributes=0x26fe9cc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\FD1HVy\\Desktop\\1.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x26fe9f4, ShareAccess=0x4, OpenOptions=0x5040 | out: FileHandle=0x26fea04*=0xdc, IoStatusBlock=0x26fe9f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0125.634] RtlReleaseRelativeName () returned 0x26fe9e4 [0125.634] RtlFreeAnsiString (AnsiString="\\") [0125.634] NtQueryVolumeInformationFile (in: FileHandle=0xdc, IoStatusBlock=0x26fe930, FsInformation=0x26fe938, Length=0x8, FsInformationClass=0x4 | out: IoStatusBlock=0x26fe930, FsInformation=0x26fe938) returned 0x0 [0125.634] CloseHandle (hObject=0xdc) returned 1 [0125.635] _get_osfhandle (_FileHandle=1) returned 0x90 [0125.635] GetFileType (hFile=0x90) returned 0x2 [0125.635] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0125.636] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x26fe978 | out: lpMode=0x26fe978) returned 1 [0125.743] _get_osfhandle (_FileHandle=1) returned 0x90 [0125.743] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x90, lpConsoleScreenBufferInfo=0x26fe9c8 | out: lpConsoleScreenBufferInfo=0x26fe9c8) returned 1 [0125.833] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x1eb990, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Deleted file - %1\r\n") returned 0x13 [0125.838] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x400023a1, dwLanguageId=0x0, lpBuffer=0x1eb990, nSize=0x2000, Arguments=0x26fe9f8 | out: lpBuffer="Deleted file - C:\\Users\\FD1HVy\\Desktop\\1.exe\r\n") returned 0x2e [0125.838] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x1eb990*, nNumberOfCharsToWrite=0x2e, lpNumberOfCharsWritten=0x26fe9ac, lpReserved=0x0 | out: lpBuffer=0x1eb990*, lpNumberOfCharsWritten=0x26fe9ac*=0x2e) returned 1 [0125.927] ??_V@YAXPAX@Z () returned 0x1 [0125.927] ??_V@YAXPAX@Z () returned 0x1 [0125.928] FindNextFileW (in: hFindFile=0x28e13e8, lpFindFileData=0x28e829c | out: lpFindFileData=0x28e829c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf9ce5500, ftCreationTime.dwHighDateTime=0x1d5f970, ftLastAccessTime.dwLowDateTime=0xf9ce5500, ftLastAccessTime.dwHighDateTime=0x1d5f970, ftLastWriteTime.dwLowDateTime=0xf76bfb00, ftLastWriteTime.dwHighDateTime=0x1d5f970, nFileSizeHigh=0x0, nFileSizeLow=0x11be0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.exe", cAlternateFileName="")) returned 0 [0125.929] GetLastError () returned 0x12 [0125.929] FindClose (in: hFindFile=0x28e13e8 | out: hFindFile=0x28e13e8) returned 1 [0125.929] ??_V@YAXPAX@Z () returned 0x1 [0125.931] GetProcessHeap () returned 0x28e0000 [0125.931] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8290) returned 1 [0125.931] GetProcessHeap () returned 0x28e0000 [0125.931] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e04a0 [0125.931] GetProcessHeap () returned 0x28e0000 [0125.931] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x18) returned 0x28e0d18 [0125.931] GetProcessHeap () returned 0x28e0000 [0125.931] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x38) returned 0x28e04e0 [0125.931] malloc (_Size=0xffd2) returned 0x2a22600 [0125.932] ??_V@YAXPAX@Z () returned 0x26fee4c [0125.932] GetProcessHeap () returned 0x28e0000 [0125.932] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x808) returned 0x28e8290 [0125.932] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\*", fInfoLevelId=0x0, lpFindFileData=0x28e829c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x28e829c) returned 0x28e0520 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e82d4 | out: lpFindFileData=0x28e82d4*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x3476bd48, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x45e054e5, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x45e054e5, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3d262540, ftCreationTime.dwHighDateTime=0x1d5efca, ftLastAccessTime.dwLowDateTime=0xb3cc4220, ftLastAccessTime.dwHighDateTime=0x1d5ed67, ftLastWriteTime.dwLowDateTime=0x3615f265, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x8558, dwReserved0=0x0, dwReserved1=0x0, cFileName="1TW9SdB_rYKNrSdh.xlsx.NEFILIM", cAlternateFileName="1TW9SD~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xbc8dc1f0, ftCreationTime.dwHighDateTime=0x1d5e2c1, ftLastAccessTime.dwLowDateTime=0xb08aeb40, ftLastAccessTime.dwHighDateTime=0x1d5ed92, ftLastWriteTime.dwLowDateTime=0x36243f8a, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xc196, dwReserved0=0x0, dwReserved1=0x0, cFileName="3D6Vc1AFF.avi.NEFILIM", cAlternateFileName="3D6VC1~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6df0340, ftCreationTime.dwHighDateTime=0x1d5e0ec, ftLastAccessTime.dwLowDateTime=0x3d152ae0, ftLastAccessTime.dwHighDateTime=0x1d5e20c, ftLastWriteTime.dwLowDateTime=0x3d152ae0, ftLastWriteTime.dwHighDateTime=0x1d5e20c, nFileSizeHigh=0x0, nFileSizeLow=0x1945, dwReserved0=0x0, dwReserved1=0x0, cFileName="48TEEGm6yn.mp3", cAlternateFileName="48TEEG~1.MP3")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xadce65e0, ftCreationTime.dwHighDateTime=0x1d5e1b6, ftLastAccessTime.dwLowDateTime=0x98941950, ftLastAccessTime.dwHighDateTime=0x1d5e0b6, ftLastWriteTime.dwLowDateTime=0x36328ced, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x4f09, dwReserved0=0x0, dwReserved1=0x0, cFileName="5-63KTalCPSot.avi.NEFILIM", cAlternateFileName="5-63KT~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x48415280, ftCreationTime.dwHighDateTime=0x1d5e271, ftLastAccessTime.dwLowDateTime=0xaaa90eb0, ftLastAccessTime.dwHighDateTime=0x1d5ef17, ftLastWriteTime.dwLowDateTime=0x3640dc94, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x14698, dwReserved0=0x0, dwReserved1=0x0, cFileName="A4kgp6t_mQ4-EAf1V.m4a.NEFILIM", cAlternateFileName="A4KGP6~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa76278c0, ftCreationTime.dwHighDateTime=0x1d5ea41, ftLastAccessTime.dwLowDateTime=0x555cb930, ftLastAccessTime.dwHighDateTime=0x1d5ed59, ftLastWriteTime.dwLowDateTime=0x3658b515, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x35ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="aOpHgn1Yjf.bmp.NEFILIM", cAlternateFileName="AOPHGN~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe07ca4d0, ftCreationTime.dwHighDateTime=0x1d5ea61, ftLastAccessTime.dwLowDateTime=0xb6c8d310, ftLastAccessTime.dwHighDateTime=0x1d5ee95, ftLastWriteTime.dwLowDateTime=0x366bc78d, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x13e3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="B7SxniXjnL9_BREh_l5.m4a.NEFILIM", cAlternateFileName="B7SXNI~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x35a095d0, ftCreationTime.dwHighDateTime=0x1d5e601, ftLastAccessTime.dwLowDateTime=0xc3e5d470, ftLastAccessTime.dwHighDateTime=0x1d5e6c6, ftLastWriteTime.dwLowDateTime=0xc3e5d470, ftLastWriteTime.dwHighDateTime=0x1d5e6c6, nFileSizeHigh=0x0, nFileSizeLow=0xc6ef, dwReserved0=0x0, dwReserved1=0x0, cFileName="CB-xuRgVFHqn_.mp3", cAlternateFileName="CB-XUR~1.MP3")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x26, ftCreationTime.dwLowDateTime=0x440792d0, ftCreationTime.dwHighDateTime=0x1d32722, ftLastAccessTime.dwLowDateTime=0x440792d0, ftLastAccessTime.dwHighDateTime=0x1d32722, ftLastWriteTime.dwLowDateTime=0xce389e99, ftLastWriteTime.dwHighDateTime=0x1d32743, nFileSizeHigh=0x0, nFileSizeLow=0x11a, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc1ac2720, ftCreationTime.dwHighDateTime=0x1d5e510, ftLastAccessTime.dwLowDateTime=0x19fb4b50, ftLastAccessTime.dwHighDateTime=0x1d5e5dd, ftLastWriteTime.dwLowDateTime=0x388b6021, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x9bd3, dwReserved0=0x0, dwReserved1=0x0, cFileName="DET2zaLAF42rhu8.wav.NEFILIM", cAlternateFileName="DET2ZA~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5f82ff90, ftCreationTime.dwHighDateTime=0x1d5ee2c, ftLastAccessTime.dwLowDateTime=0x7c8d9570, ftLastAccessTime.dwHighDateTime=0x1d5ec9a, ftLastWriteTime.dwLowDateTime=0x388dc312, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xc73d, dwReserved0=0x0, dwReserved1=0x0, cFileName="e6_7HdfD2 NprSG.avi.NEFILIM", cAlternateFileName="E6_7HD~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x33e4b3f0, ftCreationTime.dwHighDateTime=0x1d5e6d0, ftLastAccessTime.dwLowDateTime=0xb9ab7080, ftLastAccessTime.dwHighDateTime=0x1d5ebeb, ftLastWriteTime.dwLowDateTime=0x388dc312, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xcc68, dwReserved0=0x0, dwReserved1=0x0, cFileName="EilVUjIIPsRAx9--Hot.docx.NEFILIM", cAlternateFileName="EILVUJ~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x53d56b10, ftCreationTime.dwHighDateTime=0x1d5e7b5, ftLastAccessTime.dwLowDateTime=0xf50e0f0, ftLastAccessTime.dwHighDateTime=0x1d5e111, ftLastWriteTime.dwLowDateTime=0x38974bb0, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x17266, dwReserved0=0x0, dwReserved1=0x0, cFileName="geAiGPcb5FHg1.avi.NEFILIM", cAlternateFileName="GEAIGP~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x63a7b320, ftCreationTime.dwHighDateTime=0x1d5e230, ftLastAccessTime.dwLowDateTime=0x4a273ac0, ftLastAccessTime.dwHighDateTime=0x1d5efbd, ftLastWriteTime.dwLowDateTime=0x3899dbb7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xd692, dwReserved0=0x0, dwReserved1=0x0, cFileName="GEF2WVNfrMeJz.jpg.NEFILIM", cAlternateFileName="GEF2WV~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dc54840, ftCreationTime.dwHighDateTime=0x1d5e84c, ftLastAccessTime.dwLowDateTime=0xe7a2c640, ftLastAccessTime.dwHighDateTime=0x1d5e2ff, ftLastWriteTime.dwLowDateTime=0x38a7fb80, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xf2db, dwReserved0=0x0, dwReserved1=0x0, cFileName="IKorNLwg2va0.flv.NEFILIM", cAlternateFileName="IKORNL~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e830c | out: lpFindFileData=0x28e830c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda9779f0, ftCreationTime.dwHighDateTime=0x1d5e822, ftLastAccessTime.dwLowDateTime=0x38e19bca, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x38e19bca, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iPRzSiHTAUeyM-d", cAlternateFileName="IPRZSI~1")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce241090, ftCreationTime.dwHighDateTime=0x1d5e370, ftLastAccessTime.dwLowDateTime=0x1d45f2e0, ftLastAccessTime.dwHighDateTime=0x1d5e995, ftLastWriteTime.dwLowDateTime=0x38e3fea2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xee81, dwReserved0=0x0, dwReserved1=0x0, cFileName="IY 9uezyn_XgTjW1YOa.flv.NEFILIM", cAlternateFileName="IY9UEZ~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x239a52c0, ftCreationTime.dwHighDateTime=0x1d5e6d0, ftLastAccessTime.dwLowDateTime=0xca154f40, ftLastAccessTime.dwHighDateTime=0x1d5e2e5, ftLastWriteTime.dwLowDateTime=0x38e3fea2, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x167cc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Je6LYK 6Lx.wav.NEFILIM", cAlternateFileName="JE6LYK~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4aa378f0, ftCreationTime.dwHighDateTime=0x1d5e915, ftLastAccessTime.dwLowDateTime=0xb4ff77b0, ftLastAccessTime.dwHighDateTime=0x1d5efe8, ftLastWriteTime.dwLowDateTime=0x38e66dc7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x102d1, dwReserved0=0x0, dwReserved1=0x0, cFileName="jK3UiqMdVNzsBsO_I.m4a.NEFILIM", cAlternateFileName="JK3UIQ~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x36d09d00, ftCreationTime.dwHighDateTime=0x1d5f057, ftLastAccessTime.dwLowDateTime=0xbb0e5d00, ftLastAccessTime.dwHighDateTime=0x1d5ecc9, ftLastWriteTime.dwLowDateTime=0x38e66dc7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x2dd4, dwReserved0=0x0, dwReserved1=0x0, cFileName="kDS-nb1BSH.png.NEFILIM", cAlternateFileName="KDS-NB~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xf4d02950, ftCreationTime.dwHighDateTime=0x1d5e45a, ftLastAccessTime.dwLowDateTime=0x9e9488d0, ftLastAccessTime.dwHighDateTime=0x1d5e570, ftLastWriteTime.dwLowDateTime=0x38efea3d, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x7ec5, dwReserved0=0x0, dwReserved1=0x0, cFileName="KHYINgV3G7QU.pptx.NEFILIM", cAlternateFileName="KHYING~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6c3899d0, ftCreationTime.dwHighDateTime=0x1d5e52f, ftLastAccessTime.dwLowDateTime=0xfe631650, ftLastAccessTime.dwHighDateTime=0x1d5e980, ftLastWriteTime.dwLowDateTime=0x38f24cbb, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x17f60, dwReserved0=0x0, dwReserved1=0x0, cFileName="ks3Rocg.xls.NEFILIM", cAlternateFileName="KS3ROC~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x81765f00, ftCreationTime.dwHighDateTime=0x1d5e451, ftLastAccessTime.dwLowDateTime=0xe6a666f0, ftLastAccessTime.dwHighDateTime=0x1d5e496, ftLastWriteTime.dwLowDateTime=0x38f24cbb, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x95b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="KSwkaBInUOxgrhJbAt.wav.NEFILIM", cAlternateFileName="KSWKAB~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5b2910d0, ftCreationTime.dwHighDateTime=0x1d5e3a3, ftLastAccessTime.dwLowDateTime=0x2e50bd20, ftLastAccessTime.dwHighDateTime=0x1d5f054, ftLastWriteTime.dwLowDateTime=0x38f4af21, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xa42c, dwReserved0=0x0, dwReserved1=0x0, cFileName="Mx3wLhRE1ZvGkB8PB.gif.NEFILIM", cAlternateFileName="MX3WLH~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x75f70730, ftCreationTime.dwHighDateTime=0x1d5ed14, ftLastAccessTime.dwLowDateTime=0xaf976410, ftLastAccessTime.dwHighDateTime=0x1d5eb90, ftLastWriteTime.dwLowDateTime=0x38fe37c7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x925b, dwReserved0=0x0, dwReserved1=0x0, cFileName="n51_ DrMwvEIpS.m4a.NEFILIM", cAlternateFileName="N51_DR~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb8fd93f0, ftCreationTime.dwHighDateTime=0x1d5e28d, ftLastAccessTime.dwLowDateTime=0xe3e15720, ftLastAccessTime.dwHighDateTime=0x1d5ede4, ftLastWriteTime.dwLowDateTime=0x38fe37c7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xbf80, dwReserved0=0x0, dwReserved1=0x0, cFileName="O2-LElLBnR9u591jQksK.jpg.NEFILIM", cAlternateFileName="O2-LEL~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c36510, ftCreationTime.dwHighDateTime=0x1d5e7a3, ftLastAccessTime.dwLowDateTime=0xe559bc00, ftLastAccessTime.dwHighDateTime=0x1d5e5f1, ftLastWriteTime.dwLowDateTime=0xe559bc00, ftLastWriteTime.dwHighDateTime=0x1d5e5f1, nFileSizeHigh=0x0, nFileSizeLow=0x1673e, dwReserved0=0x0, dwReserved1=0x0, cFileName="P5OFM7V.mp3", cAlternateFileName="")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b201900, ftCreationTime.dwHighDateTime=0x1d5e4ef, ftLastAccessTime.dwLowDateTime=0x643c7390, ftLastAccessTime.dwHighDateTime=0x1d5ed69, ftLastWriteTime.dwLowDateTime=0x39009db7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x13ced, dwReserved0=0x0, dwReserved1=0x0, cFileName="SDgo9.xls.NEFILIM", cAlternateFileName="SDGO9X~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb37ca400, ftCreationTime.dwHighDateTime=0x1d5f0b3, ftLastAccessTime.dwLowDateTime=0x236ab2d0, ftLastAccessTime.dwHighDateTime=0x1d5e505, ftLastWriteTime.dwLowDateTime=0x39009db7, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x8b9b, dwReserved0=0x0, dwReserved1=0x0, cFileName="sIT3gvh.mkv.NEFILIM", cAlternateFileName="SIT3GV~1.NEF")) returned 1 [0125.933] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6bf23d50, ftCreationTime.dwHighDateTime=0x1d5f038, ftLastAccessTime.dwLowDateTime=0x82a91a30, ftLastAccessTime.dwHighDateTime=0x1d5ee37, ftLastWriteTime.dwLowDateTime=0x3902ff01, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x130df, dwReserved0=0x0, dwReserved1=0x0, cFileName="SrDnpOBF_kLfV_HW.bmp.NEFILIM", cAlternateFileName="SRDNPO~1.NEF")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf958bf0, ftCreationTime.dwHighDateTime=0x1d5f097, ftLastAccessTime.dwLowDateTime=0xe40584b0, ftLastAccessTime.dwHighDateTime=0x1d5e222, ftLastWriteTime.dwLowDateTime=0x3902ff01, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x40b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="UceILDLIzRJdrP.mkv.NEFILIM", cAlternateFileName="UCEILD~1.NEF")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56106d00, ftCreationTime.dwHighDateTime=0x1d5f073, ftLastAccessTime.dwLowDateTime=0xceea0e40, ftLastAccessTime.dwHighDateTime=0x1d5e4a5, ftLastWriteTime.dwLowDateTime=0xceea0e40, ftLastWriteTime.dwHighDateTime=0x1d5e4a5, nFileSizeHigh=0x0, nFileSizeLow=0xbe9f, dwReserved0=0x0, dwReserved1=0x0, cFileName="V6bhgOynmwsRdcnPnqX.mp3", cAlternateFileName="V6BHGO~1.MP3")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8db03230, ftCreationTime.dwHighDateTime=0x1d5e2aa, ftLastAccessTime.dwLowDateTime=0xa7f5870, ftLastAccessTime.dwHighDateTime=0x1d5e1d1, ftLastWriteTime.dwLowDateTime=0x390eeae0, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xd32b, dwReserved0=0x0, dwReserved1=0x0, cFileName="XLzsnsx_MXjyX.wav.NEFILIM", cAlternateFileName="XLZSNS~1.NEF")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc04d0110, ftCreationTime.dwHighDateTime=0x1d5e146, ftLastAccessTime.dwLowDateTime=0xd7266c50, ftLastAccessTime.dwHighDateTime=0x1d5e7a4, ftLastWriteTime.dwLowDateTime=0x390eeae0, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x13a82, dwReserved0=0x0, dwReserved1=0x0, cFileName="_q1s4Nsj.flv.NEFILIM", cAlternateFileName="_Q1S4N~1.NEF")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b0ea5e0, ftCreationTime.dwHighDateTime=0x1d5ef9b, ftLastAccessTime.dwLowDateTime=0x14a474b0, ftLastAccessTime.dwHighDateTime=0x1d5ec18, ftLastWriteTime.dwLowDateTime=0x39114b63, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x62f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="_whK72yh8hi.png.NEFILIM", cAlternateFileName="_WHK72~1.NEF")) returned 1 [0125.934] FindNextFileW (in: hFindFile=0x28e0520, lpFindFileData=0x28e8370 | out: lpFindFileData=0x28e8370*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8b0ea5e0, ftCreationTime.dwHighDateTime=0x1d5ef9b, ftLastAccessTime.dwLowDateTime=0x14a474b0, ftLastAccessTime.dwHighDateTime=0x1d5ec18, ftLastWriteTime.dwLowDateTime=0x39114b63, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x62f9, dwReserved0=0x0, dwReserved1=0x0, cFileName="_whK72yh8hi.png.NEFILIM", cAlternateFileName="_WHK72~1.NEF")) returned 0 [0125.934] GetLastError () returned 0x12 [0125.934] FindClose (in: hFindFile=0x28e0520 | out: hFindFile=0x28e0520) returned 1 [0125.934] GetProcessHeap () returned 0x28e0000 [0125.934] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x14) returned 0x28e0520 [0125.934] ??_V@YAXPAX@Z () returned 0x1 [0125.934] GetProcessHeap () returned 0x28e0000 [0125.934] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e0540 [0125.934] malloc (_Size=0xffd2) returned 0x2a22600 [0125.934] ??_V@YAXPAX@Z () returned 0x26fed9c [0125.934] GetProcessHeap () returned 0x28e0000 [0125.934] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x808) returned 0x290c378 [0125.935] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\1.exe", fInfoLevelId=0x0, lpFindFileData=0x290c384, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x290c384) returned 0xffffffff [0125.935] GetLastError () returned 0x2 [0125.935] ??_V@YAXPAX@Z () returned 0x1 [0125.935] GetProcessHeap () returned 0x28e0000 [0125.935] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x290c378) returned 1 [0125.935] GetProcessHeap () returned 0x28e0000 [0125.935] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e13e8 [0125.935] GetProcessHeap () returned 0x28e0000 [0125.935] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x18) returned 0x28e1448 [0125.935] GetProcessHeap () returned 0x28e0000 [0125.935] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x58) returned 0x28e1468 [0125.935] malloc (_Size=0xffd2) returned 0x2a22600 [0125.935] ??_V@YAXPAX@Z () returned 0x26fed9c [0125.935] GetProcessHeap () returned 0x28e0000 [0125.935] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x808) returned 0x290c378 [0125.935] FindFirstFileExW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop\\iPRzSiHTAUeyM-d\\*", fInfoLevelId=0x0, lpFindFileData=0x290c384, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x290c384) returned 0x28e14c8 [0125.935] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3bc | out: lpFindFileData=0x290c3bc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xda9779f0, ftCreationTime.dwHighDateTime=0x1d5e822, ftLastAccessTime.dwLowDateTime=0x38e19bca, ftLastAccessTime.dwHighDateTime=0x1d5f971, ftLastWriteTime.dwLowDateTime=0x38e19bca, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x301368f0, ftCreationTime.dwHighDateTime=0x1d5e515, ftLastAccessTime.dwLowDateTime=0x5b9bfa70, ftLastAccessTime.dwHighDateTime=0x1d5e662, ftLastWriteTime.dwLowDateTime=0x38acbdc0, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xffb9, dwReserved0=0x0, dwReserved1=0x0, cFileName="1vklh8M8Z8dNT7GK8u.jpg.NEFILIM", cAlternateFileName="1VKLH8~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94b65b60, ftCreationTime.dwHighDateTime=0x1d5eaa5, ftLastAccessTime.dwLowDateTime=0x20dd4030, ftLastAccessTime.dwHighDateTime=0x1d5e34f, ftLastWriteTime.dwLowDateTime=0x38acbdc0, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xb260, dwReserved0=0x0, dwReserved1=0x0, cFileName="72x6.m4a.NEFILIM", cAlternateFileName="72X6M4~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x228adc10, ftCreationTime.dwHighDateTime=0x1d5e0d1, ftLastAccessTime.dwLowDateTime=0x1c002dd0, ftLastAccessTime.dwHighDateTime=0x1d5f127, ftLastWriteTime.dwLowDateTime=0x38af2178, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x2e97, dwReserved0=0x0, dwReserved1=0x0, cFileName="9QjQWE.m4a.NEFILIM", cAlternateFileName="9QJQWE~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x191f6e60, ftCreationTime.dwHighDateTime=0x1d5e69a, ftLastAccessTime.dwLowDateTime=0x6e6d8130, ftLastAccessTime.dwHighDateTime=0x1d5e75e, ftLastWriteTime.dwLowDateTime=0x38af2178, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xb12a, dwReserved0=0x0, dwReserved1=0x0, cFileName="AH26 AoUwpqqprq.jpg.NEFILIM", cAlternateFileName="AH26AO~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9c441360, ftCreationTime.dwHighDateTime=0x1d5e1f2, ftLastAccessTime.dwLowDateTime=0x656f73e0, ftLastAccessTime.dwHighDateTime=0x1d5f05f, ftLastWriteTime.dwLowDateTime=0x656f73e0, ftLastWriteTime.dwHighDateTime=0x1d5f05f, nFileSizeHigh=0x0, nFileSizeLow=0x149fc, dwReserved0=0x0, dwReserved1=0x0, cFileName="Aitz_oAcE1YBhfs.mp4", cAlternateFileName="AITZ_O~1.MP4")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71b9b820, ftCreationTime.dwHighDateTime=0x1d5e3ff, ftLastAccessTime.dwLowDateTime=0x3a2db140, ftLastAccessTime.dwHighDateTime=0x1d5e6c0, ftLastWriteTime.dwLowDateTime=0x3a2db140, ftLastWriteTime.dwHighDateTime=0x1d5e6c0, nFileSizeHigh=0x0, nFileSizeLow=0x104ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="FsxDVopEe uQxzWpS2L.mp3", cAlternateFileName="FSXDVO~1.MP3")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9a5ce190, ftCreationTime.dwHighDateTime=0x1d5e9ad, ftLastAccessTime.dwLowDateTime=0x80ab88b0, ftLastAccessTime.dwHighDateTime=0x1d5e303, ftLastWriteTime.dwLowDateTime=0x38bb0d16, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x13e2c, dwReserved0=0x0, dwReserved1=0x0, cFileName="mUBh833FbaP0FHbPF6.flv.NEFILIM", cAlternateFileName="MUBH83~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa930b7d0, ftCreationTime.dwHighDateTime=0x1d5ef1d, ftLastAccessTime.dwLowDateTime=0xf260d40, ftLastAccessTime.dwHighDateTime=0x1d5e20a, ftLastWriteTime.dwLowDateTime=0x38bb0d16, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xd89c, dwReserved0=0x0, dwReserved1=0x0, cFileName="no7udHEXBi03rrFIb.gif.NEFILIM", cAlternateFileName="NO7UDH~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe4749930, ftCreationTime.dwHighDateTime=0x1d5f0d3, ftLastAccessTime.dwLowDateTime=0x48165710, ftLastAccessTime.dwHighDateTime=0x1d5e6f4, ftLastWriteTime.dwLowDateTime=0x38bd709b, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x9699, dwReserved0=0x0, dwReserved1=0x0, cFileName="ojukZoQqW9uFnXdh.avi.NEFILIM", cAlternateFileName="OJUKZO~1.NEF")) returned 1 [0125.936] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x91262800, ftCreationTime.dwHighDateTime=0x1d5e30b, ftLastAccessTime.dwLowDateTime=0xf09bb870, ftLastAccessTime.dwHighDateTime=0x1d5e2db, ftLastWriteTime.dwLowDateTime=0x38bfd295, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x88a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="pg-N.m4a.NEFILIM", cAlternateFileName="PG-NM4~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcf301a0, ftCreationTime.dwHighDateTime=0x1d5e6e1, ftLastAccessTime.dwLowDateTime=0x1f8e1e10, ftLastAccessTime.dwHighDateTime=0x1d5e738, ftLastWriteTime.dwLowDateTime=0x38bfd295, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x862b, dwReserved0=0x0, dwReserved1=0x0, cFileName="QilJpdvKo.png.NEFILIM", cAlternateFileName="QILJPD~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xce34f2f0, ftCreationTime.dwHighDateTime=0x1d5eae3, ftLastAccessTime.dwLowDateTime=0xa28afe50, ftLastAccessTime.dwHighDateTime=0x1d5e9b8, ftLastWriteTime.dwLowDateTime=0x38d4b027, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x8359, dwReserved0=0x0, dwReserved1=0x0, cFileName="Qqc L1ACD.png.NEFILIM", cAlternateFileName="QQCL1A~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe791cde0, ftCreationTime.dwHighDateTime=0x1d5f006, ftLastAccessTime.dwLowDateTime=0xbcf1acc0, ftLastAccessTime.dwHighDateTime=0x1d5ebe9, ftLastWriteTime.dwLowDateTime=0x38d6fdb3, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x1406d, dwReserved0=0x0, dwReserved1=0x0, cFileName="RGWmL8P6mvuGgi.swf.NEFILIM", cAlternateFileName="RGWML8~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa1a22ba0, ftCreationTime.dwHighDateTime=0x1d5efb0, ftLastAccessTime.dwLowDateTime=0x994a6990, ftLastAccessTime.dwHighDateTime=0x1d5edb2, ftLastWriteTime.dwLowDateTime=0x38d80fbc, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0xca41, dwReserved0=0x0, dwReserved1=0x0, cFileName="vFdLM7Utsv.doc.NEFILIM", cAlternateFileName="VFDLM7~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25916030, ftCreationTime.dwHighDateTime=0x1d5ec54, ftLastAccessTime.dwLowDateTime=0xdbc6100, ftLastAccessTime.dwHighDateTime=0x1d5e18f, ftLastWriteTime.dwLowDateTime=0x38d80fbc, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x5142, dwReserved0=0x0, dwReserved1=0x0, cFileName="Zc14 xa1riSQm2.avi.NEFILIM", cAlternateFileName="ZC14XA~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7f59370, ftCreationTime.dwHighDateTime=0x1d5e4cf, ftLastAccessTime.dwLowDateTime=0xda0f0580, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0x38e19bca, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x3e6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZUOa4nJPUKoue1JJDV0Y.jpg.NEFILIM", cAlternateFileName="ZUOA4N~1.NEF")) returned 1 [0125.937] FindNextFileW (in: hFindFile=0x28e14c8, lpFindFileData=0x290c3f4 | out: lpFindFileData=0x290c3f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa7f59370, ftCreationTime.dwHighDateTime=0x1d5e4cf, ftLastAccessTime.dwLowDateTime=0xda0f0580, ftLastAccessTime.dwHighDateTime=0x1d5e0ce, ftLastWriteTime.dwLowDateTime=0x38e19bca, ftLastWriteTime.dwHighDateTime=0x1d5f971, nFileSizeHigh=0x0, nFileSizeLow=0x3e6f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZUOa4nJPUKoue1JJDV0Y.jpg.NEFILIM", cAlternateFileName="ZUOA4N~1.NEF")) returned 0 [0125.937] GetLastError () returned 0x12 [0125.937] FindClose (in: hFindFile=0x28e14c8 | out: hFindFile=0x28e14c8) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlAllocateHeap (HeapHandle=0x28e0000, Flags=0x8, Size=0x10) returned 0x28e14c8 [0125.937] ??_V@YAXPAX@Z () returned 0x1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e14c8) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x290c378) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e1468) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e1448) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e13e8) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0540) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0520) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e8290) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e04e0) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0d18) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e04a0) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e13a8) returned 1 [0125.937] GetProcessHeap () returned 0x28e0000 [0125.937] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0cf8) returned 1 [0125.938] GetProcessHeap () returned 0x28e0000 [0125.938] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e1368) returned 1 [0125.938] ??_V@YAXPAX@Z () returned 0x1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e1108) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28fa478) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0ea8) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0cc0) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0c80) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0c30) returned 1 [0125.939] GetProcessHeap () returned 0x28e0000 [0125.939] RtlFreeHeap (HeapHandle=0x28e0000, Flags=0x0, BaseAddress=0x28e0bc0) returned 1 [0125.939] ??_V@YAXPAX@Z () returned 0x1 [0125.940] ??_V@YAXPAX@Z () returned 0x1 [0125.953] _get_osfhandle (_FileHandle=1) returned 0x90 [0125.953] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x3) returned 1 [0126.052] _get_osfhandle (_FileHandle=1) returned 0x90 [0126.052] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x1e3890 | out: lpMode=0x1e3890) returned 1 [0126.145] _get_osfhandle (_FileHandle=1) returned 0x90 [0126.145] SetConsoleMode (hConsoleHandle=0x90, dwMode=0x7) returned 1 [0126.334] _get_osfhandle (_FileHandle=0) returned 0x8c [0126.334] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x1e3894 | out: lpMode=0x1e3894) returned 1 [0126.427] _get_osfhandle (_FileHandle=0) returned 0x8c [0126.427] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e7) returned 1 [0126.448] SetConsoleInputExeNameW () returned 0x1 [0126.448] GetConsoleOutputCP () returned 0x1b5 [0126.574] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x1e3850 | out: lpCPInfo=0x1e3850) returned 1 [0126.575] SetThreadUILanguage (LangId=0x0) returned 0x24c0409 [0126.665] exit (_Code=0) [0126.665] ??_V@YAXPAX@Z () returned 0x1 Thread: id = 27 os_tid = 0x4b4 Process: id = "4" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x1413a000" os_pid = "0xb70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xd84" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 22 os_tid = 0xc48 Thread: id = 23 os_tid = 0xdc8 Thread: id = 24 os_tid = 0xdb8 Thread: id = 25 os_tid = 0x6ec Thread: id = 26 os_tid = 0x12f0 Process: id = "5" image_name = "timeout.exe" filename = "c:\\windows\\syswow64\\timeout.exe" page_root = "0x592f7000" os_pid = "0xa7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xd84" cmd_line = "timeout /t 3 /nobreak " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 28 os_tid = 0xe00 [0122.701] GetModuleHandleA (lpModuleName=0x0) returned 0x180000 [0122.701] __set_app_type (_Type=0x1) [0122.701] __p__fmode () returned 0x776f3c14 [0122.701] __p__commode () returned 0x776f49ec [0122.702] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x184e70) returned 0x0 [0122.702] __wgetmainargs (in: _Argc=0x186018, _Argv=0x18601c, _Env=0x186020, _DoWildCard=0, _StartInfo=0x18602c | out: _Argc=0x186018, _Argv=0x18601c, _Env=0x186020) returned 0 [0122.702] SetThreadUILanguage (LangId=0x0) returned 0x3010409 [0122.710] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0122.710] SetLastError (dwErrCode=0x0) [0122.710] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18 [0122.710] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b [0122.710] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b [0122.710] RtlVerifyVersionInfo (VersionInfo=0x323f750, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0 [0122.710] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337eae0 [0122.711] lstrlenW (lpString="") returned 0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x2) returned 0x337d520 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380150 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337eaf8 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ff10 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x33800b0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fff0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ff50 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337eb28 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ff70 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fdb0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ff90 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380130 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337ea38 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ffb0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337ffd0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fdd0 [0122.711] GetProcessHeap () returned 0x3370000 [0122.711] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380010 [0122.711] SetThreadUILanguage (LangId=0x0) returned 0x3010409 [0122.712] SetLastError (dwErrCode=0x0) [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380030 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380050 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380070 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fdf0 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fef0 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337e9c0 [0122.712] _memicmp (_Buf1=0x337e9c0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x208) returned 0x3381818 [0122.712] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3381818, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\timeout.exe" (normalized: "c:\\windows\\syswow64\\timeout.exe")) returned 0x1f [0122.712] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\WINDOWS\\SysWOW64\\timeout.exe", lpdwHandle=0x323f85c | out: lpdwHandle=0x323f85c) returned 0x75c [0122.712] GetProcessHeap () returned 0x3370000 [0122.712] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x766) returned 0x3381a28 [0122.712] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\WINDOWS\\SysWOW64\\timeout.exe", dwHandle=0x0, dwLen=0x766, lpData=0x3381a28 | out: lpData=0x3381a28) returned 1 [0122.713] VerQueryValueW (in: pBlock=0x3381a28, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x323f864, puLen=0x323f868 | out: lplpBuffer=0x323f864*=0x3381dd0, puLen=0x323f868) returned 1 [0122.714] _memicmp (_Buf1=0x337e9c0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.714] _vsnwprintf (in: _Buffer=0x3381818, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0x323f848 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37 [0122.714] VerQueryValueW (in: pBlock=0x3381a28, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0x323f874, puLen=0x323f870 | out: lplpBuffer=0x323f874*=0x3381c04, puLen=0x323f870) returned 1 [0122.714] lstrlenW (lpString="timeout.exe") returned 11 [0122.714] lstrlenW (lpString="timeout.exe") returned 11 [0122.714] lstrlenW (lpString=".EXE") returned 4 [0122.714] StrStrIW (lpFirst="timeout.exe", lpSrch=".EXE") returned=".exe" [0122.714] lstrlenW (lpString="timeout.exe") returned 11 [0122.714] lstrlenW (lpString=".EXE") returned 4 [0122.714] _memicmp (_Buf1=0x337e9c0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.714] lstrlenW (lpString="timeout") returned 7 [0122.714] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x33800d0 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380090 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x33800f0 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fe10 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337eb10 [0122.715] _memicmp (_Buf1=0x337eb10, _Buf2=0x181144, _Size=0x7) returned 0 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0xa0) returned 0x33746f0 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fe30 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x3380110 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fd90 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337ea50 [0122.715] _memicmp (_Buf1=0x337ea50, _Buf2=0x181144, _Size=0x7) returned 0 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x200) returned 0x33822c8 [0122.715] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x33822c8, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17 [0122.715] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x30) returned 0x3378710 [0122.715] _vsnwprintf (in: _Buffer=0x33746f0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0x323f84c | out: _Buffer="Type \"TIMEOUT /?\" for usage.") returned 28 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] GetProcessHeap () returned 0x3370000 [0122.715] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3381a28) returned 1 [0122.715] GetProcessHeap () returned 0x3370000 [0122.716] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3381a28) returned 0x766 [0122.716] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3381a28 | out: hHeap=0x3370000) returned 1 [0122.716] SetLastError (dwErrCode=0x0) [0122.716] GetThreadLocale () returned 0x409 [0122.716] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0122.716] lstrlenW (lpString="?") returned 1 [0122.716] GetThreadLocale () returned 0x409 [0122.716] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0122.716] GetThreadLocale () returned 0x409 [0122.716] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2 [0122.716] lstrlenW (lpString="nobreak") returned 7 [0122.716] SetLastError (dwErrCode=0x0) [0122.716] SetLastError (dwErrCode=0x0) [0122.716] lstrlenW (lpString="/t") returned 2 [0122.716] lstrlenW (lpString="-/") returned 2 [0122.716] StrChrIW (lpStart="-/", wMatch=0x4c9002f) returned="/" [0122.716] lstrlenW (lpString="?") returned 1 [0122.716] lstrlenW (lpString="?") returned 1 [0122.716] GetProcessHeap () returned 0x3370000 [0122.716] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337eca8 [0122.716] _memicmp (_Buf1=0x337eca8, _Buf2=0x181144, _Size=0x7) returned 0 [0122.716] GetProcessHeap () returned 0x3370000 [0122.716] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0xa) returned 0x337e9d8 [0122.716] lstrlenW (lpString="t") returned 1 [0122.716] GetProcessHeap () returned 0x3370000 [0122.716] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337e9f0 [0122.716] _memicmp (_Buf1=0x337e9f0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.716] GetProcessHeap () returned 0x3370000 [0122.716] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0xa) returned 0x337ea08 [0122.716] _vsnwprintf (in: _Buffer=0x337e9d8, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|?|") returned 3 [0122.716] _vsnwprintf (in: _Buffer=0x337ea08, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|t|") returned 3 [0122.716] lstrlenW (lpString="|?|") returned 3 [0122.716] lstrlenW (lpString="|t|") returned 3 [0122.716] StrStrIW (lpFirst="|?|", lpSrch="|t|") returned 0x0 [0122.717] SetLastError (dwErrCode=0x490) [0122.717] lstrlenW (lpString="t") returned 1 [0122.717] lstrlenW (lpString="t") returned 1 [0122.717] _memicmp (_Buf1=0x337eca8, _Buf2=0x181144, _Size=0x7) returned 0 [0122.717] lstrlenW (lpString="t") returned 1 [0122.717] _memicmp (_Buf1=0x337e9f0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.717] _vsnwprintf (in: _Buffer=0x337e9d8, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|t|") returned 3 [0122.717] _vsnwprintf (in: _Buffer=0x337ea08, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|t|") returned 3 [0122.717] lstrlenW (lpString="|t|") returned 3 [0122.717] lstrlenW (lpString="|t|") returned 3 [0122.717] StrStrIW (lpFirst="|t|", lpSrch="|t|") returned="|t|" [0122.717] SetLastError (dwErrCode=0x0) [0122.717] SetLastError (dwErrCode=0x0) [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] SetLastError (dwErrCode=0x490) [0122.717] SetLastError (dwErrCode=0x0) [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] StrChrIW (lpStart="3", wMatch=0x3a) returned 0x0 [0122.717] SetLastError (dwErrCode=0x490) [0122.717] SetLastError (dwErrCode=0x0) [0122.717] GetProcessHeap () returned 0x3370000 [0122.717] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x10) returned 0x337ec48 [0122.717] _memicmp (_Buf1=0x337ec48, _Buf2=0x181144, _Size=0x7) returned 0 [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] GetProcessHeap () returned 0x3370000 [0122.717] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x4) returned 0x337d4e0 [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] lstrlenW (lpString=" \x09") returned 2 [0122.717] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0122.717] StrChrW (lpStart=" \x09", wMatch=0x33) returned 0x0 [0122.717] GetLastError () returned 0x0 [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] lstrlenW (lpString="3") returned 1 [0122.717] SetLastError (dwErrCode=0x0) [0122.717] SetLastError (dwErrCode=0x0) [0122.718] lstrlenW (lpString="/nobreak") returned 8 [0122.718] lstrlenW (lpString="-/") returned 2 [0122.718] StrChrIW (lpStart="-/", wMatch=0x4c9002f) returned="/" [0122.718] lstrlenW (lpString="?") returned 1 [0122.718] lstrlenW (lpString="?") returned 1 [0122.718] _memicmp (_Buf1=0x337eca8, _Buf2=0x181144, _Size=0x7) returned 0 [0122.718] lstrlenW (lpString="nobreak") returned 7 [0122.718] _memicmp (_Buf1=0x337e9f0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.718] GetProcessHeap () returned 0x3370000 [0122.718] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ea08) returned 1 [0122.718] GetProcessHeap () returned 0x3370000 [0122.718] RtlReAllocateHeap (Heap=0x3370000, Flags=0xc, Ptr=0x337ea08, Size=0x16) returned 0x337fe90 [0122.718] _vsnwprintf (in: _Buffer=0x337e9d8, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|?|") returned 3 [0122.718] _vsnwprintf (in: _Buffer=0x337fe90, _BufferCount=0xa, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|nobreak|") returned 9 [0122.718] lstrlenW (lpString="|?|") returned 3 [0122.718] lstrlenW (lpString="|nobreak|") returned 9 [0122.718] SetLastError (dwErrCode=0x490) [0122.718] lstrlenW (lpString="t") returned 1 [0122.718] lstrlenW (lpString="t") returned 1 [0122.718] _memicmp (_Buf1=0x337eca8, _Buf2=0x181144, _Size=0x7) returned 0 [0122.718] lstrlenW (lpString="nobreak") returned 7 [0122.718] _memicmp (_Buf1=0x337e9f0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.718] _vsnwprintf (in: _Buffer=0x337e9d8, _BufferCount=0x4, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|t|") returned 3 [0122.718] _vsnwprintf (in: _Buffer=0x337fe90, _BufferCount=0xa, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|nobreak|") returned 9 [0122.718] lstrlenW (lpString="|t|") returned 3 [0122.718] lstrlenW (lpString="|nobreak|") returned 9 [0122.718] SetLastError (dwErrCode=0x490) [0122.718] lstrlenW (lpString="nobreak") returned 7 [0122.718] lstrlenW (lpString="nobreak") returned 7 [0122.718] _memicmp (_Buf1=0x337eca8, _Buf2=0x181144, _Size=0x7) returned 0 [0122.718] GetProcessHeap () returned 0x3370000 [0122.718] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337e9d8) returned 1 [0122.718] GetProcessHeap () returned 0x3370000 [0122.718] RtlReAllocateHeap (Heap=0x3370000, Flags=0xc, Ptr=0x337e9d8, Size=0x16) returned 0x337fe50 [0122.719] lstrlenW (lpString="nobreak") returned 7 [0122.719] _memicmp (_Buf1=0x337e9f0, _Buf2=0x181144, _Size=0x7) returned 0 [0122.719] _vsnwprintf (in: _Buffer=0x337fe50, _BufferCount=0xa, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|nobreak|") returned 9 [0122.719] _vsnwprintf (in: _Buffer=0x337fe90, _BufferCount=0xa, _Format="|%s|", _ArgList=0x323f83c | out: _Buffer="|nobreak|") returned 9 [0122.719] lstrlenW (lpString="|nobreak|") returned 9 [0122.719] lstrlenW (lpString="|nobreak|") returned 9 [0122.719] StrStrIW (lpFirst="|nobreak|", lpSrch="|nobreak|") returned="|nobreak|" [0122.719] SetLastError (dwErrCode=0x0) [0122.719] SetLastError (dwErrCode=0x0) [0122.719] _errno () returned 0x4c905b0 [0122.719] wcstol (in: _String="3", _EndPtr=0x323fa30, _Radix=10 | out: _EndPtr=0x323fa30*="") returned 3 [0122.719] lstrlenW (lpString="") returned 0 [0122.719] _errno () returned 0x4c905b0 [0122.719] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50e [0122.719] SetConsoleCtrlHandler (HandlerRoutine=0x181cc0, Add=1) returned 1 [0122.719] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0122.719] GetFileType (hFile=0x8c) returned 0x2 [0122.719] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x323fa24 | out: lpMode=0x323fa24) returned 1 [0122.720] GetStdHandle (nStdHandle=0xfffffff6) returned 0x8c [0122.720] GetConsoleMode (in: hConsoleHandle=0x8c, lpMode=0x323fa44 | out: lpMode=0x323fa44) returned 1 [0122.720] SetConsoleMode (hConsoleHandle=0x8c, dwMode=0x1e1) returned 1 [0122.720] GetNumberOfConsoleInputEvents (in: hConsoleInput=0x8c, lpNumberOfEvents=0x323fa4c | out: lpNumberOfEvents=0x323fa4c) returned 1 [0122.720] FlushConsoleInputBuffer (hConsoleInput=0x8c) returned 1 [0122.721] GetProcessHeap () returned 0x3370000 [0122.721] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337fe70 [0122.721] _memicmp (_Buf1=0x337ea50, _Buf2=0x181144, _Size=0x7) returned 0 [0122.721] LoadStringW (in: hInstance=0x0, uID=0x98, lpBuffer=0x33822c8, cchBufferMax=256 | out: lpBuffer="\nWaiting for %*lu") returned 0x11 [0122.721] lstrlenW (lpString="\nWaiting for %*lu") returned 17 [0122.721] GetProcessHeap () returned 0x3370000 [0122.721] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x24) returned 0x3373cd0 [0122.721] _vsnwprintf (in: _Buffer=0x323fc98, _BufferCount=0xfd, _Format="\nWaiting for %*lu", _ArgList=0x323fa10 | out: _Buffer="\nWaiting for 3") returned 14 [0122.721] __iob_func () returned 0x776f2608 [0122.721] _fileno (_File=0x776f2628) returned 1 [0122.721] _errno () returned 0x4c905b0 [0122.721] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.721] _errno () returned 0x4c905b0 [0122.721] GetFileType (hFile=0x90) returned 0x2 [0122.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0122.721] GetFileType (hFile=0x90) returned 0x2 [0122.721] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0122.721] __iob_func () returned 0x776f2608 [0122.721] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0122.721] lstrlenW (lpString="\nWaiting for 3") returned 14 [0122.721] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x323fc98*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x323fc98*, lpNumberOfCharsWritten=0x323fa0c*=0xe) returned 1 [0122.723] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0122.723] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x90, lpConsoleScreenBufferInfo=0x323fa5c | out: lpConsoleScreenBufferInfo=0x323fa5c) returned 1 [0122.723] GetProcessHeap () returned 0x3370000 [0122.723] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x14) returned 0x337feb0 [0122.723] _memicmp (_Buf1=0x337ea50, _Buf2=0x181144, _Size=0x7) returned 0 [0122.723] LoadStringW (in: hInstance=0x0, uID=0x9f, lpBuffer=0x33822c8, cchBufferMax=256 | out: lpBuffer=" seconds, press CTRL+C to quit ...") returned 0x22 [0122.723] lstrlenW (lpString=" seconds, press CTRL+C to quit ...") returned 34 [0122.723] GetProcessHeap () returned 0x3370000 [0122.723] RtlAllocateHeap (HeapHandle=0x3370000, Flags=0xc, Size=0x46) returned 0x3379fa0 [0122.723] __iob_func () returned 0x776f2608 [0122.723] _fileno (_File=0x776f2628) returned 1 [0122.723] _errno () returned 0x4c905b0 [0122.723] _get_osfhandle (_FileHandle=1) returned 0x90 [0122.723] _errno () returned 0x4c905b0 [0122.723] GetFileType (hFile=0x90) returned 0x2 [0122.723] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0122.723] GetFileType (hFile=0x90) returned 0x2 [0122.723] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0122.723] __iob_func () returned 0x776f2608 [0122.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0122.724] lstrlenW (lpString=" seconds, press CTRL+C to quit ...") returned 34 [0122.724] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x3379fa0*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x3379fa0*, lpNumberOfCharsWritten=0x323fa0c*=0x22) returned 1 [0122.724] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0122.724] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50e [0122.724] Sleep (dwMilliseconds=0x64) [0122.833] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0122.842] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50e [0122.843] Sleep (dwMilliseconds=0x64) [0122.965] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0122.979] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50e [0122.979] Sleep (dwMilliseconds=0x64) [0123.107] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.125] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.125] _vsnwprintf (in: _Buffer=0x323fc98, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0x323fa0c | out: _Buffer="\x082") returned 2 [0123.125] SetConsoleCursorPosition (hConsoleOutput=0x90, dwCursorPosition=0x1000d) returned 1 [0123.238] __iob_func () returned 0x776f2608 [0123.238] _fileno (_File=0x776f2628) returned 1 [0123.238] _errno () returned 0x4c905b0 [0123.238] _get_osfhandle (_FileHandle=1) returned 0x90 [0123.238] _errno () returned 0x4c905b0 [0123.238] GetFileType (hFile=0x90) returned 0x2 [0123.238] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0123.238] GetFileType (hFile=0x90) returned 0x2 [0123.238] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0123.244] __iob_func () returned 0x776f2608 [0123.245] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0123.246] lstrlenW (lpString="\x082") returned 2 [0123.246] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x323fc98*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x323fc98*, lpNumberOfCharsWritten=0x323fa0c*=0x2) returned 1 [0123.253] Sleep (dwMilliseconds=0x64) [0123.469] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.476] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.476] Sleep (dwMilliseconds=0x64) [0123.584] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.593] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.593] Sleep (dwMilliseconds=0x64) [0123.705] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.724] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.724] Sleep (dwMilliseconds=0x64) [0123.857] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.865] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.866] Sleep (dwMilliseconds=0x64) [0123.973] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0123.981] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be50f [0123.981] Sleep (dwMilliseconds=0x64) [0124.093] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.100] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.100] _vsnwprintf (in: _Buffer=0x323fc98, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0x323fa0c | out: _Buffer="\x081") returned 2 [0124.100] SetConsoleCursorPosition (hConsoleOutput=0x90, dwCursorPosition=0x1000d) returned 1 [0124.104] __iob_func () returned 0x776f2608 [0124.104] _fileno (_File=0x776f2628) returned 1 [0124.109] _errno () returned 0x4c905b0 [0124.109] _get_osfhandle (_FileHandle=1) returned 0x90 [0124.109] _errno () returned 0x4c905b0 [0124.109] GetFileType (hFile=0x90) returned 0x2 [0124.110] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0124.110] GetFileType (hFile=0x90) returned 0x2 [0124.110] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0124.114] __iob_func () returned 0x776f2608 [0124.117] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0124.117] lstrlenW (lpString="\x081") returned 2 [0124.118] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x323fc98*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x323fc98*, lpNumberOfCharsWritten=0x323fa0c*=0x2) returned 1 [0124.124] Sleep (dwMilliseconds=0x64) [0124.251] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.252] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.252] Sleep (dwMilliseconds=0x64) [0124.360] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.367] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.369] Sleep (dwMilliseconds=0x64) [0124.498] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.501] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.501] Sleep (dwMilliseconds=0x64) [0124.652] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.656] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.656] Sleep (dwMilliseconds=0x64) [0124.848] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.855] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.855] Sleep (dwMilliseconds=0x64) [0124.970] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0124.981] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be510 [0124.981] Sleep (dwMilliseconds=0x64) [0125.127] PeekConsoleInputW (in: hConsoleInput=0x8c, lpBuffer=0x323fa74, nLength=0x2, lpNumberOfEventsRead=0x323fa4c | out: lpBuffer=0x323fa74, lpNumberOfEventsRead=0x323fa4c) returned 1 [0125.179] time (in: timer=0x323fa54 | out: timer=0x323fa54) returned 0x5e6be511 [0125.179] _vsnwprintf (in: _Buffer=0x323fc98, _BufferCount=0xfd, _Format="%s%*lu", _ArgList=0x323fa0c | out: _Buffer="\x080") returned 2 [0125.179] SetConsoleCursorPosition (hConsoleOutput=0x90, dwCursorPosition=0x1000d) returned 1 [0125.185] __iob_func () returned 0x776f2608 [0125.186] _fileno (_File=0x776f2628) returned 1 [0125.186] _errno () returned 0x4c905b0 [0125.186] _get_osfhandle (_FileHandle=1) returned 0x90 [0125.186] _errno () returned 0x4c905b0 [0125.186] GetFileType (hFile=0x90) returned 0x2 [0125.186] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0125.186] GetFileType (hFile=0x90) returned 0x2 [0125.186] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0125.221] __iob_func () returned 0x776f2608 [0125.221] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0125.221] lstrlenW (lpString="\x080") returned 2 [0125.221] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x323fc98*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x323fc98*, lpNumberOfCharsWritten=0x323fa0c*=0x2) returned 1 [0125.232] Sleep (dwMilliseconds=0x64) [0125.350] __iob_func () returned 0x776f2608 [0125.351] _fileno (_File=0x776f2628) returned 1 [0125.351] _errno () returned 0x4c905b0 [0125.351] _get_osfhandle (_FileHandle=1) returned 0x90 [0125.351] _errno () returned 0x4c905b0 [0125.351] GetFileType (hFile=0x90) returned 0x2 [0125.351] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0125.351] GetFileType (hFile=0x90) returned 0x2 [0125.351] GetConsoleMode (in: hConsoleHandle=0x90, lpMode=0x323f9e8 | out: lpMode=0x323f9e8) returned 1 [0125.357] __iob_func () returned 0x776f2608 [0125.357] GetStdHandle (nStdHandle=0xfffffff5) returned 0x90 [0125.357] lstrlenW (lpString="\n") returned 1 [0125.358] WriteConsoleW (in: hConsoleOutput=0x90, lpBuffer=0x181104*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x323fa0c, lpReserved=0x0 | out: lpBuffer=0x181104*, lpNumberOfCharsWritten=0x323fa0c*=0x1) returned 1 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x33746f0) returned 1 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x33746f0) returned 0xa0 [0125.367] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x33746f0 | out: hHeap=0x3370000) returned 1 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eb10) returned 1 [0125.367] GetProcessHeap () returned 0x3370000 [0125.367] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337eb10) returned 0x10 [0125.367] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eb10 | out: hHeap=0x3370000) returned 1 [0125.367] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe10) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fe10) returned 0x14 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe10 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337d4e0) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337d4e0) returned 0x4 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337d4e0 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ec48) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ec48) returned 0x10 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ec48 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800f0) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x33800f0) returned 0x14 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800f0 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3381818) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3381818) returned 0x208 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3381818 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337e9c0) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337e9c0) returned 0x10 [0125.368] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337e9c0 | out: hHeap=0x3370000) returned 1 [0125.368] GetProcessHeap () returned 0x3370000 [0125.368] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fef0) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fef0) returned 0x14 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fef0 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x33822c8) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x33822c8) returned 0x200 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x33822c8 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ea50) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ea50) returned 0x10 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ea50 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380050) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380050) returned 0x14 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380050 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe90) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fe90) returned 0x16 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe90 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337e9f0) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337e9f0) returned 0x10 [0125.369] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337e9f0 | out: hHeap=0x3370000) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] GetProcessHeap () returned 0x3370000 [0125.369] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ffd0) returned 1 [0125.369] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ffd0) returned 0x14 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ffd0 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe50) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fe50) returned 0x16 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe50 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eca8) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337eca8) returned 0x10 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eca8 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ffb0) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ffb0) returned 0x14 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ffb0 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337d520) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337d520) returned 0x2 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337d520 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380150) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380150) returned 0x14 [0125.370] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380150 | out: hHeap=0x3370000) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff10) returned 1 [0125.370] GetProcessHeap () returned 0x3370000 [0125.370] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ff10) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff10 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800b0) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x33800b0) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800b0 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fff0) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fff0) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fff0 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe30) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fe30) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe30 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380110) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380110) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380110 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3378710) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3378710) returned 0x30 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3378710 | out: hHeap=0x3370000) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fd90) returned 1 [0125.371] GetProcessHeap () returned 0x3370000 [0125.371] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fd90) returned 0x14 [0125.371] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fd90 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3373cd0) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3373cd0) returned 0x24 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3373cd0 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe70) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fe70) returned 0x14 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fe70 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3379fa0) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3379fa0) returned 0x46 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3379fa0 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337feb0) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337feb0) returned 0x14 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337feb0 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eaf8) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337eaf8) returned 0x10 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eaf8 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff50) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ff50) returned 0x14 [0125.372] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff50 | out: hHeap=0x3370000) returned 1 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] GetProcessHeap () returned 0x3370000 [0125.372] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff70) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ff70) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff70 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdb0) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fdb0) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdb0 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff90) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ff90) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ff90 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eb28) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337eb28) returned 0x10 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eb28 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380130) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380130) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380130 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdd0) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fdd0) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdd0 | out: hHeap=0x3370000) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380030) returned 1 [0125.373] GetProcessHeap () returned 0x3370000 [0125.373] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380030) returned 0x14 [0125.373] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380030 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380070) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380070) returned 0x14 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380070 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdf0) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337fdf0) returned 0x14 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337fdf0 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800d0) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x33800d0) returned 0x14 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x33800d0 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380090) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380090) returned 0x14 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380090 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ea38) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337ea38) returned 0x10 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337ea38 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380010) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x3380010) returned 0x14 [0125.374] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x3380010 | out: hHeap=0x3370000) returned 1 [0125.374] GetProcessHeap () returned 0x3370000 [0125.374] GetProcessHeap () returned 0x3370000 [0125.375] HeapValidate (hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eae0) returned 1 [0125.375] GetProcessHeap () returned 0x3370000 [0125.375] RtlSizeHeap (HeapHandle=0x3370000, Flags=0x0, MemoryPointer=0x337eae0) returned 0x10 [0125.375] HeapFree (in: hHeap=0x3370000, dwFlags=0x0, lpMem=0x337eae0 | out: hHeap=0x3370000) returned 1 [0125.375] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0125.375] exit (_Code=0) Thread: id = 29 os_tid = 0x58c